Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-12-2024 19:24

General

  • Target

    https://drive.google.com/file/d/1C0j9S5iZAqoOY1UtG3_iphUhGzK0VB3N/view?usp=sharing

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1C0j9S5iZAqoOY1UtG3_iphUhGzK0VB3N/view?usp=sharing
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff895623cb8,0x7ff895623cc8,0x7ff895623cd8
      2⤵
        PID:2092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
        2⤵
          PID:1100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4648
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
          2⤵
            PID:1592
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
            2⤵
              PID:1636
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
              2⤵
                PID:4940
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3952
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4876
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                2⤵
                  PID:5080
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                  2⤵
                    PID:2216
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                    2⤵
                      PID:2752
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
                      2⤵
                        PID:4840
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                        2⤵
                          PID:2132
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,8650983429006756784,1076723890629867300,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3796 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2260
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4188
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3292
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2812

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            fdee96b970080ef7f5bfa5964075575e

                            SHA1

                            2c821998dc2674d291bfa83a4df46814f0c29ab4

                            SHA256

                            a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

                            SHA512

                            20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            46e6ad711a84b5dc7b30b75297d64875

                            SHA1

                            8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

                            SHA256

                            77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

                            SHA512

                            8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            816B

                            MD5

                            4547c62bc235a78f37b718dbe361ff65

                            SHA1

                            5eb44d96d27be653ed27e97d357464f45a2b6e80

                            SHA256

                            a0e72dbd8f04ff416ef9f3cc020314a1837cde602b584c8b5f13c5ca0e6f1192

                            SHA512

                            1e191681359f4fb0f90239a0c2fe3d49407857b72a5d72a32d78fb0cea74cb48f02a73395bd6e4383dccb3ad8dcaf1f9edb1e85ffa68ea3cc895e4be4a0bea30

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            576B

                            MD5

                            4177acfc0c50e3cf52ddd00216f342f7

                            SHA1

                            675bb1e17ea20b0cfd9bf9c4cf7d5ae4a26d1565

                            SHA256

                            95a7c8c5f159f0324d51bc346bebe2771b6bc3984c085beed9a9e6f8d6ef43e3

                            SHA512

                            5a669b6d6b4d7f1ea813312039abc177b7889e5e66f1f16b81cb1d0523b9783431cd50b450468524ed5f52f376879583c285b0ea05406ebb4fb1d638ae25df01

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            eae671572ca7649d0e401372fafd559f

                            SHA1

                            2233ab537459b0bf820927ee4f6c7ea55d079bb6

                            SHA256

                            66a52985bfe886797d7ad776af6289e7e872bbe8f8024b3cae72636069899714

                            SHA512

                            288196bd12b7b9c806bc4d7be5f380db6321441d45077d63dbd698c942a5ec79589c3b47a0849520eca6f1b5af62bec7e254d944448b5bd05b61d87921d06057

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            2KB

                            MD5

                            3cd3e51495544afd068ddf3817e2c46f

                            SHA1

                            49c27e2873c127bd9ac37e3f314dff5de4d4ba9b

                            SHA256

                            792f2e8f76b48964d4d90b700e2bcac1b4a047e37278f7c00953f71d57f5023b

                            SHA512

                            4d186bd400b9b678169d0d0a78dd3e12dd8ea74a7a12c69a25f69236a068f92beedd6d54970235c7c26d8135193dcb80a0d295da72d02c61b1cdbdd4769fe13a

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            7KB

                            MD5

                            1adef75834c07e864a9bca25c1bfc28b

                            SHA1

                            58236b7217f2b1b777a42b7fe6de648c47d8ca6b

                            SHA256

                            84419a405798777c741d8e7e669b5f58e36291d6c96437adaa712f781409f7c8

                            SHA512

                            4bab737cd39f0728fa9178df4b26a1d70e8a4e7388c10fc370750edc5b84dd2379900409ab2af6ad1074cb2a7b98b1c7b39c09d6a48295adb778a52bf6916e2a

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            873bd1f475093bd4dddee24abab01cc1

                            SHA1

                            05fc6ef941e08cf78a855e26774292f8151081ee

                            SHA256

                            7902793248985756daf63c8e324e5d33af34c19226d6e27585f133504b4b4d6e

                            SHA512

                            4b1c11f989114f50a498d9d5615ef82f55de9d1cab9ff89c717d37824ff22dd4b7a3c97e14453cc9a7869e211181c1bb22d8b1480c6cfca31a0ebbbc769ffe48

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            e18c706869509b831b4962405527a52c

                            SHA1

                            87cbd4b05730c6aa2a42639202e2af68da63f7f5

                            SHA256

                            5e7568d6359f32b5bf9845bc689b3460532bef09e4b380ca5a027514565d107f

                            SHA512

                            622b6feb124850ac7a41bf21cafffe0a2859dbd64d8bf262fee73275998523e96ab95c59e452f5c34d188c15f99824637cdccd8ddf9383551149928b9d33ddd7

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            654e215e41663d0cb6abfb0e45d59da9

                            SHA1

                            520a4b8d9dec44ee4b72212dcb161cb322989479

                            SHA256

                            cfd10bdbb289c55734d3d1170bed3e9087069d6faf81a3f8b3b605ac544e03dd

                            SHA512

                            470b7421d0ca45b1be02ec6fbad2f9d5c0cd9cbdd5716b7ff9c52dd02fbf09db50742e7bf3dc1de38fdf1793c7b2c68339169a35a788bcfdaafebdad13bae1b8

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            371B

                            MD5

                            c7986c182e48d02a60568ec69df0d6cb

                            SHA1

                            7a74776a89ff86097ea07d2cbded50200af03b66

                            SHA256

                            053316d31e206ad7aec82a873eefcc18c846b0dbfa1ab0e9ce9ce9e96c81363b

                            SHA512

                            59708a3093ca271972d5f562f61b9ee444346ced74ce2760f0413a58a8abaf1dee2760048e339c2976d208360319d613dca4745a86e20925fdf7c8102ca32e35

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            203B

                            MD5

                            8e51f79d9f843a60d94d9925d967ab99

                            SHA1

                            86819193e1bb36b94486e123d712b8b2705229f6

                            SHA256

                            4f01383baaaec5681b410a4863ce189f50c19a006bcba21ed0f591d569399f95

                            SHA512

                            6d5d7a98d23f166ccf744bb85010a545b53ca74e960559f60bfa65e2a2bc5de3fdd488347a10afbc09ee2222c14032063461944fac0913518526d9036569db33

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            203B

                            MD5

                            5c01e466b7357e351b40b988ea212cd7

                            SHA1

                            32b6f305cb95e1064d44e3a93225c5cf7cfebea4

                            SHA256

                            d5bf3761f096d65c93da9f555de20bf4ff6eb5fdabbd80e8799189e3a22e6a02

                            SHA512

                            c062fe804eb156bfbd0004636337e6cd2175a84f1aebe92fb47083b67f56c77e8c8d681cfd1e867820390aaa6b8d007015a3cd359e27463cd64de14fb240b39b

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            203B

                            MD5

                            7332c1467715d804a21cd3645dc8c741

                            SHA1

                            b06ba4669341123ecd5385a9d1340571c52e2405

                            SHA256

                            e775af567a66a0d2441cc47681ceffb045a2754250a7f80f764fc0479f978e8f

                            SHA512

                            cbabe50735a79c2fdfebc8e05414bca2e00b804a2e73a4b117ff90716ce399da4adecf2d3f1fe3c109de58e0d2f9732871ed54205f986bbfc64fcfe9dd9cab5a

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580ea1.TMP

                            Filesize

                            203B

                            MD5

                            42e96437c4049014b4b3a183ed11512a

                            SHA1

                            b3c0c9e31eda86c39ee34d527b6c71c2a3df7a61

                            SHA256

                            c89570f0ae396ed84b72af9e6ee301806d430c0e10598bf2f3675d4ea3069185

                            SHA512

                            c403023c957dae81a085ddc9707089633678e7c261e28cbbe7531e74b9dbd9ecb216c538bf50d84d00667dd2ad9fb4c6ccd88d49ae969caa520d87f85c5531b1

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            9497d0beff63f88c3a251964f88ad943

                            SHA1

                            25f04d12f131ddb723f6480ef81e44905043d729

                            SHA256

                            223b0e54072f7b77367a169112eacebe5f960c7d2b0a10a8bee2a3faac2af9d1

                            SHA512

                            86a891b89856ea08b2f97fc6ac7fb74b3de1438aa8bc5c9f1942bee41ede7397c6297bdec58c177e1834be8a154e1d10892cc59c628292d4dadb6cf794e8260c