hxxps://drive[.]google[.]com/file/d/1wK6_FGXh4wh2_40-R17BBrfMGOQAYQdJ/preview

Resubmissions

01-11-2024 14:04

241101-rdcy1szla1 6

31-10-2024 14:42

241031-r25c6szfla 6

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1wK6_FGXh4wh2_40-R17BBrfMGOQAYQdJ/preview

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
4828	msedge.exe
4828	msedge.exe
4004	identity_helper.exe
4004	identity_helper.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe
2164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1008	4828	msedge.exe	84
PID 4828 wrote to memory of 1008	4828	msedge.exe	84
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 2572	4828	msedge.exe	85
PID 4828 wrote to memory of 1620	4828	msedge.exe	86
PID 4828 wrote to memory of 1620	4828	msedge.exe	86
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87
PID 4828 wrote to memory of 2456	4828	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1wK6_FGXh4wh2_40-R17BBrfMGOQAYQdJ/preview
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82df446f8,0x7ff82df44708,0x7ff82df44718
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,10980318364906578287,17129713876700204686,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
c953ff51cdc5fcb3bf01e80369cd6f44

SHA1
7bb823e113f3ebf88d9dbc0a3f2a978775fd2e08

SHA256
47268482708bc8c917f7b6f99e2d5ebc6666e4680d64f863b4eb4fc3ae21efb1

SHA512
080b292b37313562e40f58d65271a62b27787e95467b0274f21d4863ab3e94873254958910209d4ca68f00edaa907a1a2be99f9ad6ffaf971b0ba4a6a96f2190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bf9116c883b852ceb7a08af2067f4144

SHA1
60f2c266dfdb10665de53203ff9c0173fde3347f

SHA256
71a8890e073dd3ab6ef08a311be63093fb758071ede4322330b0aab082b376ed

SHA512
b1749d0dcd7080bfc8b8b166b15a14af64dc1cd9afb277a9c757ef16ca317c0cc72d4f20a50fd34481960f701c42b0a133249e3e298a4149c24044a5c07533b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ec8b0fffa3ff9c9710c81358490a49b9

SHA1
7dff6a7672bc55c67c5bdbb04fbbf6623e848d74

SHA256
79e615abe5e80a223a67b56035e48fc9ae2f3a15dc5e01cf09675a0e7f62830c

SHA512
63e6372988ed65838637e54250593fdbbeeefb26c1c26cb975c41faf1b982689a5688ed794013bf02a301d79c1de210caecf2adf6555c97aa39093dce72a4c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2cf1e15c0d037bf683deef95a368454

SHA1
e4ff8492f63e1a7a349a34eaa7d944de69a1d23b

SHA256
e9275f9edee3a00c97672a2e8c3677a398e30b2a3c747ef421646c21b8b88c77

SHA512
9d9df2307dae96bca824dacdf24354b0c94fe8d6e54315a8a948bd75f3df5ca3e2a26935a04bea6679d8d057eebfcb6c7558e151b768938a34248ac6cfae1554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a36b28178994ee4e4805914d4c16ac5b

SHA1
38caac3c198e0cca54e60d756af3c60cf213e73a

SHA256
a4e338a7ac14539bda58a10eb21f475ee7ed500485c9de9d3825e99f2fe1b386

SHA512
5f511d1631be61e0d49c97e4ffc55fb37a00ec8d93d0ecdc4aedd569eeae44eda63ab2c66100490263be32c329c787199f3b893ef3e86df3595dcff29e738bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c316e523f7577db75f50af9b0b41cea

SHA1
4037107d943ef5bcdb136ccedfcd05bbcdd09f4d

SHA256
e255766daa7388ae5fe73cebe549e694a83ff6d5131fb1a4b01f4216c5446379

SHA512
cfc1f989f0bcec16a4d59e195bbf92df09c53b64634662703703d0aab0359901bbc0960e36b7acdeceaaa598208fd138f44443419d80f5636ccf5a1b9476c06a

Download Submit