hxxps://drive[.]google[.]com/file/d/1QVChnddOdZ0eLc2igEz4KjzjXSZ16uZI/preview

Analysis

max time kernel
16s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19-09-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1QVChnddOdZ0eLc2igEz4KjzjXSZ16uZI/preview

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 3972	1092	msedge.exe	82
PID 1092 wrote to memory of 3972	1092	msedge.exe	82
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 1460	1092	msedge.exe	83
PID 1092 wrote to memory of 4236	1092	msedge.exe	84
PID 1092 wrote to memory of 4236	1092	msedge.exe	84
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85
PID 1092 wrote to memory of 1984	1092	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1QVChnddOdZ0eLc2igEz4KjzjXSZ16uZI/preview
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab9a946f8,0x7ffab9a94708,0x7ffab9a94718
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1239934338253461116,1840715244664615317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1239934338253461116,1840715244664615317,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1239934338253461116,1840715244664615317,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1239934338253461116,1840715244664615317,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1239934338253461116,1840715244664615317,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f43165c54458bc3899a086cf8be897f6

SHA1
2261c49e9402202840677d695039431e36e688e0

SHA256
19ca6a8042aa6f3a282cce2404dd469e4bb0d61704c5169f5aadb7f1fd899e16

SHA512
ee445b35d6572787c3652fd19021ae4d91a94f68e99fc19324f6ca687a03cb301ce68e0cb3c1b217c642d4167aa82dd756b90d317be8f70f4ce85009a03cd433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32443024e96df00ed87cf684b6a684b3

SHA1
79e6ae6e0b08ccc753e289be181efe2ca2015b92

SHA256
d85681c27ee42e614dcd3015572bd7aaf5732c615dc60f91cbabdca3a92a9afe

SHA512
bd6281de9fe5e1d6e5b86781979c26841aa87f4c44d5f84e4ad8e75aceaedeebc6a704cdc45172c0b7f05eaa3f7c7b822aacba30b7613f4886ee9c1e6ea40676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7d6f8d3876d817224ab3e67362ece872

SHA1
1d27cb9f7241f0dd74aed9d9dbc7be207a362e0f

SHA256
cd24a0ff3ec1293ac792e93fb5891114fa7a05b8e9ec5b35718b47a0e484eb17

SHA512
e8e9e6bda664c323611c6a261119e4857048c3f81fd1bbdf03ed932fa65e67a66266e9b353eaf5aafd5479029cbb598538a7794c8a8e68216e940a8722df023e

Download Submit