hxxps://drive[.]google[.]com/file/d/1cELFQDCMUcnSHB3k096v-_DSCz6A42cJ/view

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1cELFQDCMUcnSHB3k096v-_DSCz6A42cJ/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
3448	msedge.exe
3448	msedge.exe
3528	identity_helper.exe
3528	identity_helper.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4392	3448	msedge.exe	84
PID 3448 wrote to memory of 4392	3448	msedge.exe	84
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 872	3448	msedge.exe	85
PID 3448 wrote to memory of 4896	3448	msedge.exe	86
PID 3448 wrote to memory of 4896	3448	msedge.exe	86
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87
PID 3448 wrote to memory of 2876	3448	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1cELFQDCMUcnSHB3k096v-_DSCz6A42cJ/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe9e246f8,0x7fffe9e24708,0x7fffe9e24718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,9273074948643983306,15284592008438216031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
17e996ee8c7e41ca31e5ffbe8de38260

SHA1
6823315f6973fb9f6cc229312de4430e9e1968c1

SHA256
6e0cc2bbd16c441e7ea832e6565d94f4eeec4d8351d6125ea56d071d2556a046

SHA512
7b3c923dd5e2f9ccefe0b2476aa639512be9bca67ce56ec37b57d9d4c8c95c80c240bbbe1bdc0260c4c3618260ff7e3059b41eb6b0c36ec156ea399f0c5b2ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
788977a1e639a7cac4f77d3c06a21531

SHA1
edbaf2b5906f800001296fe8b2ed643b15238cd4

SHA256
479d50f3997880a195e92ffc81d95e3a94c4009801c2f462ff8811b8339b271d

SHA512
c4a258f18e5b7b3d6262b94920baf09929ef3c1a27b9b9afa7234fc9348053fac24ac2b560453e2c055e266f06ba9d2ccdfe6b7c4da42640cb8007d47d305807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
86198bfeea2faf6fc58e92f3d0390e12

SHA1
880e99dd48aed63c4206c1e2d890432c9779f398

SHA256
c96cf317019f0b76ac1498f531d2ca073135a090affba903e79cc3ff902da1e4

SHA512
b2c53aa976fb498bd62fbde6a4e0474442d2eee61277309afbe9f16892569c6dd293d9bf99b9151a631bf1cec89d38919defdef853f5cae6a99508a3682d5e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c2a33c974e6b436b31e9b16535cf62d

SHA1
58b090b65a86fa47161ac7abbb8fbc7c8e369b8e

SHA256
0c98f78f07d9755d7546d590cdb2968bbf383ae3ef07b80f9f5e44197e37f50a

SHA512
d57a1e8d504af063b8cd833ab4df17973e3aeb07928eb9c7f86f0500431d983e76770e3b178b6c515d955b5b38e3146efd0b04fc034be14607a053ab23c116eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
196cd40835cd1719ea9c8c59d2b8e3d0

SHA1
6ea0ef68ef51ec3546296fdf140785e86654c2f2

SHA256
9da8008151eb154dd54b86fec792c544ca27f750a5f505dd54f30b9716f947c1

SHA512
e515aeb83e406e74a660e21b20e2dc18b52564d410449ed3e58048e1796bfd443c1af2f39587ea9b75480888d679a9be411fd8cd8ed4fd39690a5f24b2b06952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ddea6a3cb276fa5d40f3dcccce4c025c

SHA1
aee9819a7fd36ba6f6cc1f8641905b502395b613

SHA256
53c63b0e9ea28c4fac90e45a6d555384e07e84b3b169bc8bc7204c9d382a6452

SHA512
11544b58187d52d24981e90cdfadd50ac9beaaad9e5c625608441681b85597b44cee2fd2c51360161d0dd746ea83a9bc0729e9d16eeb38064410ea02a370dc1b

Download Submit