hxxps://drive[.]google[.]com/file/d/1h20zIxZFOVoyDqcMz__aAjg7zBJwnFuR/view?usp=drive_link

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1h20zIxZFOVoyDqcMz__aAjg7zBJwnFuR/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
2472	msedge.exe
2472	msedge.exe
4464	identity_helper.exe
4464	identity_helper.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1524	2472	msedge.exe	83
PID 2472 wrote to memory of 1524	2472	msedge.exe	83
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 2380	2472	msedge.exe	84
PID 2472 wrote to memory of 384	2472	msedge.exe	85
PID 2472 wrote to memory of 384	2472	msedge.exe	85
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86
PID 2472 wrote to memory of 3384	2472	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1h20zIxZFOVoyDqcMz__aAjg7zBJwnFuR/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcad9f46f8,0x7ffcad9f4708,0x7ffcad9f4718
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5076973484582351796,7020672833704783718,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
c0183adf1559f22dde03ca55a1118a39

SHA1
4309ae785b3660144644e231acbb24517229e251

SHA256
b09f280461868c9467d00869c276eedf18102ee0ff0dabf8a70beb135016fda4

SHA512
173b3b52098be2608a182a9d2415fac66fc71bed5be219ede240f6427215bc3078d7c9364422e0e7d141f1799f72db3d351f818ee1263796a65c054555d3c12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
62c7ee8a38da0543ae6249ca9d33641a

SHA1
70fa008182173a8e80a27a3f95414f28ccfd1abc

SHA256
5c4582739665f7ef9ac01f8390069ab285a7034149a2461ca2cc4f40537cf9dc

SHA512
eb16b8f53121a6f0d28903a5b969c902affc3f22d13de833de6e2820bc14e701cbc45249e1c9a477f27f8d65b63eb9d860d880ba5d710f138423de2015c01c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
91287efe89bc80435b18dade09fa78e2

SHA1
396c1de27379346a940ee5c85ff2812701340440

SHA256
cc5bad9d0d93198386d3e09468c40de44418a2bafb7c6ecbd05cf887cd40b427

SHA512
9a6e84ef816c3c0b22db3992dc1b871b510faee2499a8bfbd1725d062f9663fa3e27c7168bdec60b9f3a8e98c02665a89be77b94426f9162c11c0ba704725f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
642fccb7d706a82dfc4231c2842a3696

SHA1
018fdf68e87d333a521dbc4a23d8eb1086654358

SHA256
e288ade87681bf4757d68d1651a18ed854b3e7de18bd7839f4bdbad72d2f4893

SHA512
cc6b104831f2f64aaeaa565072f01fbfbf038d44b835822777eb6a8140b150f9d6a2c852acff4563fca86fcfca2a9abb6eba136e2997433db9b311a1871fba7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9be7fc4dfd713f7c2c3c4b1f292dd0f8

SHA1
527033874efcc75c426137a5ce9672d375d805fd

SHA256
4f32c7ea5b079e15fbb3b2224a29dcd16ab900477aec263ce1781cd574dd062c

SHA512
be265d4b9016d62c503d4df7b516a684930754467632270a3b62fa6e07d757a56b58d6e0f945e4eb1f40e2793db19e27f17132463ab1af8546d58b4c1f8c11a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1730efa1b5fbc8e8f6fdf1800668295e

SHA1
fc77f492c081455f977f58a7f80062e49badced0

SHA256
0f9d8c0462886b1bf632624f9591e0f0054a7bc7a6a4edef0351c586a1a10399

SHA512
879e6fd26b7943ec750db2589c6d6c73e609cca798e62c5a1d6145c4acfee76c073760fbe5f5e385f638e7d2fc976010b225f34a196dad42a24f6543bbe48e53

Download Submit