hxxps://drive[.]google[.]com/file/d/1ly9J9lUrjEwBqF9dF8Fjn0TBS1GALxDF/view?usp=sharing

Analysis

max time kernel
46s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1ly9J9lUrjEwBqF9dF8Fjn0TBS1GALxDF/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
2352	msedge.exe
2352	msedge.exe
1724	identity_helper.exe
1724	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1532	2352	msedge.exe	83
PID 2352 wrote to memory of 1532	2352	msedge.exe	83
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 4076	2352	msedge.exe	84
PID 2352 wrote to memory of 3752	2352	msedge.exe	85
PID 2352 wrote to memory of 3752	2352	msedge.exe	85
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86
PID 2352 wrote to memory of 3088	2352	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1ly9J9lUrjEwBqF9dF8Fjn0TBS1GALxDF/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe662046f8,0x7ffe66204708,0x7ffe66204718
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12001789646476670050,6160240449190588069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
f87b072e8e486aa89808248022bea6ee

SHA1
e8496c0585c862419e94e50466151ff55c79a230

SHA256
639547518845b1b1a61645ebe6b5802d34702b0b57ceb3623163e516b31e7fd7

SHA512
126b38f74355db3083e8766104a54d88d5e37e9fa347aaefa6878f3b61e7a3c3ad18f61bcacb8a78e889d4fa64c61c377e3b0143995a0214c7966eb16b630371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce06171d22c14ae8899c55d8187e1417

SHA1
057b4c5ad4d955f015692a480ae9097b2fa2455b

SHA256
b9d18ccef4e892588bc953d9ea1e44d7e8f23fc747feb4e26674761f4a52154e

SHA512
0c4edbf0e2661993f30698cf5ec26ec55a03e159b18a408ed2ec79a077e9757595216263aaea80d9cf540c142a37b058bfd647361e90f178b230c3b767462776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae98f1d8b3d6261eb00b08da9935da63

SHA1
760c211d4aea57888fbb66b1422119cfeb2cdef4

SHA256
be040d8bf106c2e18e37bdad9614cb8794b0758ec0ac41e71eafc34694730dcd

SHA512
787dccdd4c2bb92a3ebd8fc2cebc6f8656d8f731fa7b2dd64536544e77163c927ed28e2e1b3027c53d0e508ed068db47d8050a839769da89d639e621a005a73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc68a26e2a050d075aa2187cb10af31f

SHA1
a5db19c21849d73002ed4c3f096347116509e7fd

SHA256
1f5779c372ab754d79766833533a29f22794977897fe02f97ff874197e1fe545

SHA512
eaf8e7d68c3f267a72c55cd2c9eea9de8fcd7e45dd8c22f3bc60a9571a20d209b7820605092c601b66933fe60be2b0f3307e667865210052a03edf1b14ccb648

Download Submit