hxxps://drive[.]google[.]com/file/d/1XXnoQKePn6pngTkajJnFgL9WAnC0eqJC/view

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1XXnoQKePn6pngTkajJnFgL9WAnC0eqJC/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
2300	msedge.exe
2300	msedge.exe
2316	identity_helper.exe
2316	identity_helper.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3212	2300	msedge.exe	81
PID 2300 wrote to memory of 3212	2300	msedge.exe	81
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 2392	2300	msedge.exe	82
PID 2300 wrote to memory of 3520	2300	msedge.exe	83
PID 2300 wrote to memory of 3520	2300	msedge.exe	83
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84
PID 2300 wrote to memory of 1964	2300	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1XXnoQKePn6pngTkajJnFgL9WAnC0eqJC/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd314146f8,0x7ffd31414708,0x7ffd31414718
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,261416633760234765,5164478248994958945,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
f57e18f8743cbee57f26ba463a0f1fbc

SHA1
e9a9807608400d15fc71c126acbffd6fab04e709

SHA256
28d67f99e15c3948d9fa5cd72a89c369d5d7acee2704880804b98eeaa070ff3d

SHA512
a6d160d05081ba71629185c256d4e327de720d08928b194a06fd637fbb7613c502474460024318b9a302448e2dfbdfc144cab528f3fb3ca81166d31ee0fac398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5779ecc0ee3574e000ac3728ad2696d1

SHA1
c538632a0a6e3450f7754f629ab2123c63b4640d

SHA256
47228a2f53a930bd851b49d7ba51ab12cc3b01dba9678e0d4581945c91a73282

SHA512
39a108570fb232f24f09edcae673d5dd7fda0df131ae7a02262691fdf73ddedc8b7d90c0e68e07248fbe11ce0d89b5cfd9a4342778549f1d0845bb49b65ea3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
57b9b5cc37e39262e9397c622b3f5e3b

SHA1
c2c59df78f0b877fd8574d48ff2b96047228b784

SHA256
00c7d1335f16357bb9fa3a256f5d537995af012afcd0b7f08bb3d8298af63b38

SHA512
3d0fbe3679473001f5ae3b4fe7b91e0ebfd17ce16b5f916200128a0577b499e37bdf58915f9725f608ce269b4d1ef5b0312486b7873c7badad3e624137be92fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70adbf705d805d63ef24cab3a3ca63ea

SHA1
40299924c9fe10ca35512e0d2346fc0ebb64bf6f

SHA256
a178c34c87f46df4eaacbf7e434e6bd7b43f00f0ee37c51ad8b4875ec9b2fab2

SHA512
a78999f9beafb3779449fc37fe448e6470e52c6e948fff5d35b8ece4381ebeb1c0a8bc1d22cf595c8b40993a64944d37e8d83929e3847bf56368b97affcdcae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa1bdcb285beda0413ccbea690ef697b

SHA1
4322ce32fb6537995edc810591c1a20e1144e3e8

SHA256
cf48d912aa3db208f116816fb86bd39fe82e20d48b2513d6708040d93c0d93f9

SHA512
dc12427e7f14e094073a5512256484a75d64ea1ade24853ced65f3c67d6c025fded1380541b1d01c1aa4c7c9984bef2fcf739bd0f4bcac5acc1d59e4f780ea2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
035a7a6ad2a2a295f674b660d1be2994

SHA1
dd3a7c5f1e1c97c6552105b09867d1f48ace927c

SHA256
bce9aa6d068fdf25f63b7afaaac71117bcb4cba8a4fde40988d54bc1287a9741

SHA512
9e992f1e1a6b9f70997ec42ffd96ab99e8b1678cfb79a5ec2f1ca0c3d1af6877510526410f04421f0a70e56a13254ad58f2c04403d916835caf0c255ca987c6c

Download Submit