Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com?authuser=0
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com?authuser=0
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 8 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1184 msedge.exe 1184 msedge.exe 1056 msedge.exe 1056 msedge.exe 1860 identity_helper.exe 1860 identity_helper.exe 4608 msedge.exe 4608 msedge.exe 4608 msedge.exe 4608 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe 1056 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2288 1056 msedge.exe 83 PID 1056 wrote to memory of 2288 1056 msedge.exe 83 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 3516 1056 msedge.exe 84 PID 1056 wrote to memory of 1184 1056 msedge.exe 85 PID 1056 wrote to memory of 1184 1056 msedge.exe 85 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86 PID 1056 wrote to memory of 4700 1056 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com?authuser=01⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf3146f8,0x7ffdcf314708,0x7ffdcf3147182⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:82⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵PID:684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17633788487599451044,5384339876173427355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5c518ed45cd198f0e2cebbd852463c4c9
SHA146970b545d0929977947fdd9d87f425ea9985005
SHA256d078e2bdfb41bca8337ba7607daa807bb93a40f7b39b2f23a4cf9a44d3c11b8d
SHA51236df96d299867912d644b4f32c596290de3ed2eb845d732722438d060e619484cbb159b9aca13393c2e24c163a3261eed2a2a30f910f6bf4ca23063218491eb1
-
Filesize
1KB
MD5c8960ea1d7379d0d2c26bce1dfa8aade
SHA1f741103fe23f9e8c24294babbf1f78e79330fcce
SHA256f7f6f2bdfbc8accd8fc3ac483a4f214674e89b1526eba266c44fcb6e8283c3f5
SHA512c9eda9fb258b0610a4aab35e3fc3dcdc9ec0eceb7055d4d6801e3424208b81d0c6531e0a7d1959e824174df29eeefb75d03bab116b985badfaa3b671d7db492f
-
Filesize
1KB
MD54397a765452a7aa32ad64aa3199acae2
SHA12ebfc8a155f2e29c5e2287d2974e235f9691cc5c
SHA2568cdb802ecc049617c1dda15bc74c4f23674b2b3903f329dd36fe5a287e57f937
SHA512f0038fcb8e5400d49aec7a0881f02e3ce166bc84ee2fbea117ebfbc28dd0c4cf36e7c12de03e705ecae2358c62d7866c5f4c781e03e4bf263f9abf8f2e4d30f6
-
Filesize
5KB
MD5ac13b0a289ac5b54983d9f3253185d6f
SHA1e622bf1936ec094846202e30e4d7e024dd47bdf5
SHA2560db0d161234fe47ddca5e660f0ee0b998b8b857a0e22d1afe2d4ffb9d7c05cec
SHA51252b62c09720e1fba429de4547f5ed8158c8a3dbaffcf75451e7ffd956f580d487fb6048a7f4f2902a6105b2f158a9203cc6f3901b94cadc88826005a629d1f3c
-
Filesize
6KB
MD593c51bb72014eb089ed653fe8cb1c8f6
SHA11b2c4fbf9a5a7a2ae5101dc4b4b52c91458f32b8
SHA256849d0b414f588e68f2ed99bbb0927fb8027306291b7444f7d04273129807f9e3
SHA5121807babf37b6565defd73a1042c7efe2a9a6cb88b391bde9f51332f3d74c1545430e915c818fd79c868113ba01f0fa8469b02a52c711f139f2ae3b9e8744e0a5
-
Filesize
371B
MD58227e0373d4a226ff5651f1ce34bf9e1
SHA10108b4c67716629005f88a67d2e8fdddc9761fa4
SHA256295c9ffbf491fcbb4820abca8f8c8243576c814d5bc10fd8149a62af10c12d38
SHA51294a84fd38c06b53eefc26b064fb6359f60a4c14ae0951994389fa97cc4ac38b311810e926dc35efa31cfb6128bfe5a11aaf35ceec49b63a797fe4c559507270e
-
Filesize
371B
MD5791496397d8ec6f7e13a60cda3a02396
SHA1e06f625e35fb56fa3c461eaf6a6321b72cb5b993
SHA256175a423dd6fa98b52ecdeada7211cbc78c1b6aaffaf2997e78513a2714ab959c
SHA512c88e74bfd239c811867fcd17fdb707fc27f54a0cceadc1964fcfe876b7b5ce5540f158237e834c82026ff60dd5a2bbc4b0563ef740723cfdb1003f28c07e5142
-
Filesize
371B
MD5516220caca52fae1682e27a568b198b4
SHA1e84b401a13bb7d63083c951d38aa5fb72cc329e9
SHA256701d9da619eb4400463b62f6adbceebf9ae9d35a8202741e28398a19b199babf
SHA512bc58347839fc43271ee6f0d7ec74a9d0af023e933132dc440ae20f496ddaae331333a6f6b293ff5919a6b5d37f106e716f31ccef94f286d29d66ca9251347b2c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD568ba5453ac3bc25162f7862ae356ff28
SHA14bbf3902c168bfb5c3bf1559363d88219f074b17
SHA25685ade1e52bcb708425253c80f86987d9b7cefac6ea16ceab92bafed0d803f5cf
SHA512f2fabf0ecf74ff173587561b7664c59548ef50adf71fcedc7dd7b8331a712792a5a6f3d205b24ab0ce19c1091b3a507dcc7793072964254b46e3ee7fe12be4b1