hxxps://filetransfer[.]io/data-package/GNYTSN8I/download

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filetransfer.io/data-package/GNYTSN8I/download

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
1528	msedge.exe
1528	msedge.exe
1468	identity_helper.exe
1468	identity_helper.exe
1680	msedge.exe
1680	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe
1528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 608	1528	msedge.exe	84
PID 1528 wrote to memory of 608	1528	msedge.exe	84
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 1404	1528	msedge.exe	85
PID 1528 wrote to memory of 4728	1528	msedge.exe	86
PID 1528 wrote to memory of 4728	1528	msedge.exe	86
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87
PID 1528 wrote to memory of 812	1528	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/GNYTSN8I/download
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xa4,0x108,0x7ff87af246f8,0x7ff87af24708,0x7ff87af24718
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=188 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10194411257266848848,18288978401790583655,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
ee26fb9b735bec4573bf5bf389449442

SHA1
d21b10b203b077e673d6bcf321b75d09c69dc478

SHA256
077851d21462f6dfab2ba1e067901347a1694ad2903fa396a7349b20673b9813

SHA512
4d3af915116ea7e40c9afa80778e9af8864627c804ccde31b0fb4536f5783c74cb55ab8b6dd36a4f7d37bf9dee296f4c027c6ec95dd35054cc65b78f2b5462b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98efd2496af4c18282f310aea7dba259

SHA1
fe3f3e61d73646eab9c793efb757e77dc9cc9442

SHA256
514bcb7fbeadab4fc4e8bb3b307d421a3c890d560fcc92d6230549a5b5d76621

SHA512
c4286e200f62c70a4324d2561e702f1a8421abbf0de8656c5b51a85526c6284f3b4f86c2d05a4f1f68755aea81abd029cea7862372eeee583bd504e80b5edc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af4cc12fda629c94065e1dcf85193360

SHA1
824a6f6fcf035a1692102f3c8561d75ec1e74979

SHA256
c1e0564c11a14489644f226488a0c6156d70147d529d65948b4335161c7064c1

SHA512
f1d32d211d3d754e668fc4b51a0691586c53e733526e5710644a74336d5e5e9b03e7d1419993ccf1bd98fd72d71b1b2e9af2d9b2f6558ad97dc7ccafc48819e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d6b76f86ffa91babbd5cf1b82e553b2f

SHA1
c9683642ed37d9b11cef153ce3b9b463f8b123c0

SHA256
94f0fc0c0f543cce9c606db36acd93473e2e42e3b7ca35ed2ad1068071052535

SHA512
35b36e8ed59d3bdca4534f359d73c43dd35a690cdd07fa0399133b1d5d19941fb102da1b7889538f0064b870ae9b6f2a4aa1c5593adae0a35b80f4d284cb6da1

Download Submit