hxxps://drive[.]google[.]com/file/d/1wBIk-f24WkicX6n2dFQL7Ya4MBjSx4Dr/view

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1wBIk-f24WkicX6n2dFQL7Ya4MBjSx4Dr/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
17	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
2308	msedge.exe
2308	msedge.exe
4816	identity_helper.exe
4816	identity_helper.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4564	2308	msedge.exe	84
PID 2308 wrote to memory of 4564	2308	msedge.exe	84
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 5064	2308	msedge.exe	85
PID 2308 wrote to memory of 1480	2308	msedge.exe	86
PID 2308 wrote to memory of 1480	2308	msedge.exe	86
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87
PID 2308 wrote to memory of 2872	2308	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1wBIk-f24WkicX6n2dFQL7Ya4MBjSx4Dr/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff869e46f8,0x7fff869e4708,0x7fff869e4718
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14938158699802193065,15455785081299659724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
a995b64915259442d28ae369017319c8

SHA1
828a177c028e4b9b843db198b2b3de8f9ea9e1e8

SHA256
d1e39fdae3b12827611d802533d269d8827c0d372414ded5f55a6738321f12c8

SHA512
d0d476388e2f137bfa4ca691a1df36a8dbc131513bcbdfe2e409b38520d7ba60c4686aa4ff8ebded02a18ff881b9d3ab1200e927a17bd453127f6b976d10e349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dafdaa264bc9016da95ca8bbc62beb85

SHA1
e02b453e7119441edf0e187d883f6f99987201c0

SHA256
c5aa99d3f5aa588a9a1b37ffe881d5bf63084f1d5be0057633b4306eaa5bb0dc

SHA512
1d463fc6c3be9b333ab518c7481108e96545043b7a7ccf0828babf1a2a631fcceee011cba91e0b17301efed5b53d6734feb2c038b25acca4dfc571f17a064cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
705475f4ed5d38b6854abfcf3301bfb4

SHA1
4496b5decb5fe03c6678800096c5b06a7f31b8c6

SHA256
e375c7dffb8fbcb2f0f9b46d0a2b22b9cec5bfc810d1c78815b5b83ce42967a5

SHA512
cd9e3d1dcfcd5857f03741db4ce0299609ee9414e9cf415532e9b0d574af0044485b1cdb2098fa1a343098e9581535a852a24bb5de47b6241ed30e345bdc5494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bff14444871192d2c48918095f546e8d

SHA1
b158353ba0c2349b452a917ccfbead47f4f6bfe1

SHA256
624afb89c2b3b1b49bf5cebbe9428f409c1c8bff1456849fa750dd155d0f0ef1

SHA512
8e0cf6b5cc8608444d160e74a4fe41b0e1fd234b6d2246a33326f0e1b6b529bff7496c82984e4b3a1b081368d687b8aba9b42b3d73a29bef8a147fb0c0d70e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ff4649ed6c2529a39616225407e6e01

SHA1
78e9008183d3f0174fa81e7fbf609168f9f68628

SHA256
fa84c44f2e3bc4d06c2ff28c08e1cd8b4ee6885be5e9b4b386430a2aa951ce3e

SHA512
e4cc90ba7b1496ec35f2816b05f43ad6c427bcc4df9d2debf1ecc8d8b1e9b5f649496ff237eb9a874b39b72c18113a0090f5734893d9771653e026a087e6f8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
e57285273c5b86d635ac26ffd6a545d5

SHA1
799060da5790bccad4a15eb3ed8308aa692fa214

SHA256
f96861905c380afb8e1370d9fa202778b7cac1b285e6a5474b5e4167f60b6531

SHA512
9e3cab01f0cd1e1aabf3e49f3a5bb1afc24519915eb417f5e5d30093663d9d33514feaa1a99837a376e20c41e16d4c48939907a1e55f09be4b0a8c07987ea112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c484.TMP

Filesize
203B

MD5
2afedc4c959bb30d0680c8ab503a5928

SHA1
5be512cc34a948c44e00ccd7326d7f4b557fa422

SHA256
0dfd66ca809baca981b665ed01b98ef063818d54823ee546ab81f6769cab1eed

SHA512
22ba0d38259c28f4347b3243b4122c4c1450f69f7d7fb8811338dcd8181e75b91682ff3b90d0491c5665ee848b3cfa1e362af9744796fd9b6ab4834a66113c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9901c4892e2e67ed852b39b3eb170bfb

SHA1
942f14b85f90932fb94902c5bf6c3c4b103b8a0e

SHA256
2a12e0143cbfab494627806ee62cd18790f5d119268d03c20f3fd4f3f52c02f4

SHA512
88d772460357b773b0f24c182cbe099c9519660a5860f2ddad69f6075ddd576896a23f25ca1b990aa9e4156cf36fda807cb032f0e64a6433a235ee22c3461ac7

Download Submit