Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://drive.google...

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://drive.google.com/uc?id=13GcL47wYT-uIofyROKnVhdx1p9_QfApr&export=download

Score
6/10
discovery

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 11 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=13GcL47wYT-uIofyROKnVhdx1p9_QfApr&export=download
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb382446f8,0x7ffb38244708,0x7ffb38244718
      2⤵
        PID:4056
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        2⤵
          PID:2148
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
          2⤵
            PID:2456
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
            2⤵
              PID:2756
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
              2⤵
                PID:1992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:8
                2⤵
                  PID:4364
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
                  2⤵
                    PID:4380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3156
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
                    2⤵
                      PID:1828
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4160
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
                      2⤵
                        PID:2880
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
                        2⤵
                          PID:1104
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
                          2⤵
                            PID:4324
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
                            2⤵
                              PID:3172
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4816115551618926786,17320951929052249577,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4480
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3612
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1172
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5604
                                • C:\Windows\system32\mspaint.exe
                                  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png" /ForceBootstrapPaint3D
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5784
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
                                  1⤵
                                  • Drops file in System32 directory
                                  PID:5832
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5968
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2064
                                  • C:\Windows\system32\dashost.exe
                                    dashost.exe {e5fd5ac2-1aa9-40c3-820983cb936ce6a5}
                                    2⤵
                                      PID:4072
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4548
                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png
                                      2⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1100
                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:17410 /prefetch:2
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5520

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    fab8d8d865e33fe195732aa7dcb91c30

                                    SHA1

                                    2637e832f38acc70af3e511f5eba80fbd7461f2c

                                    SHA256

                                    1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                    SHA512

                                    39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    36988ca14952e1848e81a959880ea217

                                    SHA1

                                    a0482ef725657760502c2d1a5abe0bb37aebaadb

                                    SHA256

                                    d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                    SHA512

                                    d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    512B

                                    MD5

                                    ed0fb4683c86c92cea700dbd2f2d84f2

                                    SHA1

                                    942f1aa5e224495fd9685f80e29469ce2632b367

                                    SHA256

                                    cbc8536eb00542d5b6ccf294c9b729acaa67a5bca3d890288f39ce228c2e5254

                                    SHA512

                                    673d60ba678c51a7cab3c9650e8231ddeb0eef06fd931ca4332d2bb0db8111b88d0b1e7aa440fb82363ee8ac77af53c85727cd88877cc3b71c2228822bc0bd43

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    296ca655811758ba52b45910df851935

                                    SHA1

                                    4b49d9be95fc88856b1aa75de92e892e55616719

                                    SHA256

                                    4f99174e60a637c8db97102396d8b18c75d7c30c36a1a7e41fc2635384573030

                                    SHA512

                                    e135feb31d3db691d621eb4de6d8de403872fb38404c15307c679990159c51c16aa534cba660628d999169659e6dbf31b191898a7d3da3c42c646667b03b3407

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    ba4fe949a21b5b158a4548bc0d6b07fb

                                    SHA1

                                    7534bcba5fabd7de7e42db4ec9fda37a97afa202

                                    SHA256

                                    6f05ec12d719aaf8c2156fe6285886dc21a8860db0b0327ab27ca43b1c5fe162

                                    SHA512

                                    bd0cc87bea880a70063095037a5dc42c4fcea27899b2e1597a5c1c92c83cfbc059952660f922c71b318b02e473b7badeb86edfe1354f4e09daed89fa7e43028e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    9f039f3c56e61801a971096c561c930d

                                    SHA1

                                    1016b6f5766c54b6ef8cd37148468cc220903240

                                    SHA256

                                    b8bb53142ba8371939936825d91afd2573060fe725a432aac57f56ca15d94dde

                                    SHA512

                                    c076cec74f4765736a79dca8b6bb0f133303ae44071463bddda5f509baaa42488011d3f023c5c2d027e3d6b4b85d071af8754f11c2269c357272c541c32b91f2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    b884f7386c1f8c132d8f8888fd2fa937

                                    SHA1

                                    90fc9c3ae9d210bcdd3736e03d2a1292fccdcc7e

                                    SHA256

                                    bb5b3b44b21fcc82741768a1bc38aa3bf09a0e1da387cbfa7f2fe71b45ba9e91

                                    SHA512

                                    62765f27af2075bb6ea522d4ec4b11047e284e855e5502f10e33b6cc6e6c37aa0bb80fc38ef7e0ce916c96aa812e9284093defabc4e3dd7d516edcbd50e15bad

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
                                    Filesize

                                    17KB

                                    MD5

                                    5a34cb996293fde2cb7a4ac89587393a

                                    SHA1

                                    3c96c993500690d1a77873cd62bc639b3a10653f

                                    SHA256

                                    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                    SHA512

                                    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                    Download Submit

                                  • C:\Users\Admin\Downloads\CliniqueMonSourire_Logo_FR_Turq-Gris.png
                                    Filesize

                                    35KB

                                    MD5

                                    14f5d64b46c002ace4706a1b6ac536f5

                                    SHA1

                                    eea236652726566928f20194a5fcb84901b0361a

                                    SHA256

                                    6daf870effcae8f2640afd1c8a46b514f9afca0af4cd3366c84ed83c6c555a5a

                                    SHA512

                                    9dbaf1e2c6948b82c93bf344e889ce2565dce20070892529c760277db5f64e15a4eb0167e7a43f5b3408fc11cb981dc9dafaf497fadfa2ad883e0c8c750e1c2b

                                    Download Submit

                                  • memory/5832-89-0x00000197B43A0000-0x00000197B43B0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/5832-98-0x00000197BC6F0000-0x00000197BC6F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-100-0x00000197BC6F0000-0x00000197BC6F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-101-0x00000197BC780000-0x00000197BC781000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-102-0x00000197BC780000-0x00000197BC781000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-103-0x00000197BC790000-0x00000197BC791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-104-0x00000197BC790000-0x00000197BC791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-96-0x00000197BC670000-0x00000197BC671000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/5832-85-0x00000197B4360000-0x00000197B4370000-memory.dmp

                                    Filesize

                                    64KB

                                    Download