Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
20-12-2024 13:29
General
-
Target
https://drive.google.com/uc?export=download&id=1mHtC1mrhoQNs0xcgm2XuX7dtu9EPYac6
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 5 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/uc?export=download&id=1mHtC1mrhoQNs0xcgm2XuX7dtu9EPYac61⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc3933cb8,0x7ffbc3933cc8,0x7ffbc3933cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5232 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,12704722341567647195,13357918885991278406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6532 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
Filesize
796B
MD5490466a9db4d2ec8fe17135b1c7e4a86
SHA1d0ea736d710f10e6b6ba0493e688c5de30622b9b
SHA2561d3b1afc22f96f68bf9bb94dc93cc52c11ea04fe7f997b42b40ddf4915d88211
SHA512dab96abf95fb1e93f96eb14d2f170ff81060109180b1667783fbeb890630e6576f8c4c95a287cbedcfacadc6fbaa573e1dc5a4dae2af121e60e85ba18e3c3a70
-
Filesize
796B
MD5f08551deb921a03639caed8eec032b4b
SHA1ebf2a30de62a5145c998fa9b018c861e6b948238
SHA256dd8783c297eb1ad29b18def8ae56c658733e61af84b92ac9b49bf09fb3438bb4
SHA51285169e554012ce7b0a089da92929c89faa402c859444c581a273ba8c6224d642cc5064cd1cec04c04808e68ad854de4d445c6c3406d5ac8e0109631db051c222
-
Filesize
5KB
MD55f20ec4f7ed7f25a5f3a09c0fa5fcb53
SHA1a643d32db247a44c83de65c5fcb0cff987018c22
SHA25691f26268b05ea37764e35cd34f49ae0ce4b9ad6572029d2a88eb6673d7bb209f
SHA512abdb39ae90883e82f71450b35966cd5842f1793208f3e75691d1d3e87beeaf1656be845f4a5b0ed3f2f6e5146a87cfbf60e651264480312d2e993f8ff14e96f9
-
Filesize
6KB
MD5f3679044d703209df394ffcf0833de48
SHA14926519981827077b65ed5690b40362a66c3a227
SHA25673cafcec68651d011d0f52cd7cb46019c744dfab05cdc7935d2afe5aedb6c532
SHA51203cee90d9d4f8e96775666aeeb13e97a90416eae977ac8d371152cc0ebeb16390e81151f3063220845c961133aa0d6ff5ad5860c56763d1611394347a16c25a8
-
Filesize
5KB
MD5649abefecac4d3b57f50fbfecbe87e0d
SHA1ca4f6588b405b0284af6813a1eaef530f321eece
SHA256bff4d7b6cf577c5d657aa57eac52187db100d6bdf5d914e3f4cc2152641a96de
SHA512438641215d43f537a074921ad42aa99cfded37a2e5345df5e8a7451b2489121e60c0c4d1254894db6485402f5a4237aac3444f8fe8dae078bb5ca5600a1c5cb0
-
Filesize
371B
MD5ddefaff36d366aa61339c1d34a716fd2
SHA1bd342fce1c3d67373ba57af9b9f3a58acd6c3715
SHA256ce28a401db2d6632032aaa23454bcc5007e1e481ff3e243576d7f1bd05df353c
SHA5121ad6ee300fc2c3252c2b99174d3e5b8368d1565ecc2d431edc97451a454138ddda1842923d931968081a3b16992d4b69eabf24dc95a3cd41d2cbdb876e350dc2
-
Filesize
371B
MD5647278b1cf7777e1ea5cb16712489326
SHA1cdce0925a158b031b32b9faaabdd7b1446db7ca6
SHA256e7c42c18cb5f8e91dbc58a563831b3ff30e294c7a2518c3bbec1495c1a03c9f9
SHA51242ae956366862857054a38de19009a280dc4f59593a723edcbfd19e267111e2db9833efc8b962e4d0f250d972f26bbd15102b41885647ffe845d113bd12883ce
-
Filesize
371B
MD54a3e80369a84bf498d08d66c2a979e5b
SHA1873fe0821c11c0e9c1c9cf93540c6976b5830709
SHA25632319a6078ec311171dcdebc78c07535dc5d446ed698d765228ea617aad260bd
SHA51223553d05fc4db65fb06f32e8d0a025283960e39ca14c94928b15d602cd64f8c975f84b98ca15b93b6b33bad7923e9bfd3736eb5dc9cbea31998dcbfc086d81ef
-
Filesize
6KB
MD5645df763033c91e07e47a30fb0f32c9f
SHA10ac70e7e36bc563ef566a89685dad8884f879aa4
SHA2560aac8f9b3bcc6639315a8b5c13f3f6812b1d67718c478039087e5ccd049d47fb
SHA512e5cccd8cccfaffa1732cfc3d446d3f7dca144e3da0ae6ea761e5a402a2ce95427162117472307812029cca26a3e7b5aaf850b013906e71a3f0fd2ffc41ee9708
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD581260fbd80831c607995de60dee68b02
SHA1f0094f6677ce0f3fe3664c38c3bd6356abacb5c1
SHA256c5649d77eb8c9072df968fbabe7f56218300806ba1599c3742e8bd8fddab2dea
SHA512ecb79e31d6e42792f5c24a416e77bb9b5f6c79ffdca2e5cbc74591b64801e4d943f7c04dec7f6030dbadab26bf2227d38409b02383cc9eee3fedc9cd086c84f0
-
Filesize
10KB
MD5f8b022de1b7455826923f8c0bc057e55
SHA1cf9f852b68959ab6380187601136c56922297c80
SHA256f5405196a6a705f810fc3a644910004ce0d58f086666f9eab6a88e46453aa56b
SHA51266271b7faf6d5415b4bc1dee0b1f9fc9effa9246534458f9ac497488f59b40ec30fdb8c72f9516d2a8e8b472142d5655f604171a02612432ada20c47b4f58314
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
10KB
MD5ad7a569bafd3a938fe348f531b8ef332
SHA17fdd2f52d07640047bb62e0f3d3c946ddd85c227
SHA256f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309
SHA512b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423
-
Filesize
3KB
MD55bcb8e487276e3bdba5fb5e0e297ba6f
SHA1edd4b6952705cac5c2682c979cb65f2b9d592bf6
SHA2566c06103dd966dd9726439afeedb23d8546ebf4c24d7df69ce11d1f204c56a9db
SHA5125b5eac909ba85bceb33886b714479a239f6a7ba91c03242e4d6026a69dedc06f3fafd78525d5139dba13a20d3e3722aaff6c05880267d5a1214a51f0aa87ed29
-
Filesize
134B
MD50fd478cb43458f6b48ac17ad666e6d06
SHA1f353e737d3e453dd46c716cd92b367a5779c3388
SHA256927c3d0b6c517e522d2cec19f6b57797e20bd4fd8146fe9016650c21c35e4df1
SHA512c79dd9ad762135217825fe614d7d40e6c11690eef600a28120a9cac2ab792314c53a22e25533df4f7bf4c2d556fb7eb7351c0c8e5b09225e1cd0ab6bfc836e3d