hxxps://drive[.]google[.]com/drive/folders/1Oolj5OO2_6zZI_5Qww0zLSv4kx8oB0r1?usp=sharing

Analysis

max time kernel
143s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1Oolj5OO2_6zZI_5Qww0zLSv4kx8oB0r1?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 868	1348	msedge.exe	85
PID 1348 wrote to memory of 868	1348	msedge.exe	85
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 4976	1348	msedge.exe	86
PID 1348 wrote to memory of 2844	1348	msedge.exe	87
PID 1348 wrote to memory of 2844	1348	msedge.exe	87
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88
PID 1348 wrote to memory of 1852	1348	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1Oolj5OO2_6zZI_5Qww0zLSv4kx8oB0r1?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcddb46f8,0x7ffbcddb4708,0x7ffbcddb4718
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9820288970944105185,7617559686471565126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf0b2725c0cd068b0f67eb62cbc3244f

SHA1
54ee5cd3bd0ae55707020bf40c4342736e310caf

SHA256
5dff0f70a7691805910a88ef91c9ecc338c6a27b818ff6b0c8bc6e0e8e381d36

SHA512
f622f17ddcf1a364bbe926fe427b1544c3bea200b65f24aee14a5eaa7b260e33f396ef07f2a0a53540dc4c0f5beebf431b6d7d0a9032890de13b99a2089b852e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8cb3a8ae72d4143c46a67827ca0b7df

SHA1
171c2c090300f33f67510e38358077155a664f99

SHA256
7bf198a75746d630643056ad1571f0d46f6d069f7813a39888f7519b4b843e9e

SHA512
917d6ac30c1975f5266aa380baf9842575ad565c4399ef7da499e8f78d7300f6b1c4d3c5846d46b5c39fbbcd76097fe356274ce44eb35e8ca5c09522def6758e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
215KB

MD5
2ffbc848f8c11b8001782b35f38f045b

SHA1
c3113ed8cd351fe8cac0ef5886c932c5109697cf

SHA256
1a22ece5cbc8097e6664269cbd2db64329a600f517b646f896f291c0919fbbef

SHA512
e4c037be5075c784fd1f4c64ff6d6cd69737667ec9b1676270e2ed8c0341e14f9d6b92fde332c3d629b53ae38e19b59f05a587c8a86de445e9d65ccfa2bd9c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
067b033f5d0b4fa406bae58809afa6b2

SHA1
abcac4b912a1bff02d62e8b2cae62deab9e74b1a

SHA256
6e1b67263ab14a50809cfc472af9a410a31a1ce6f23cddb9d9978c51c5d8a6b5

SHA512
ff6bb244f467ec9ceb65b2b03e0ef08bff6bbe4a7b934d14604a4cbfb0380cabc33833d1d76db65b8fff15be65f113b307ecbde2ae7172fb531c7e94f8ca29fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5f0ada302b8e2046e188eb06eebc4f6f

SHA1
c395162a7f7ef678a28c03531ce18729c445a2c9

SHA256
2b6c406ab23d1c81eba7755cca83da234b2a8b27365bca29db29f31baa74ddcd

SHA512
c31a98706b6c23c88ca97d90af4edb863670578dff9d952be8280e4fe06c88e2cf16bb6902c751d3ce0c30aea4bc5ddf31524156ae150e6b626a7eb464c10a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b254659eabdaed6c3a9c593f4a6655e

SHA1
70e4b802a10aba1ef0c49bdaaf3a1a07eb96495c

SHA256
4765b74da67f763b2e5da1a697e5d921d31846e38fa2ff1c54080b5bd0d99566

SHA512
d3400f3e255eb8dae685ccd03b6caabd43ed20121df0c055090618ac43f4c4f81a93cbe887c3ea1e24d00ed47c67c54db5e1a27294ba0d03e2446cee3e8f2b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ea56ad83bad7fa16cb6aed348e87c4b

SHA1
91de1c9e7f620d9a3271da8c4d8b17575a80fa9a

SHA256
b1bd719974d0e39f0e7c1abcc1d93f5c9668ed9b43af7713cdc5cd9ea6673cc2

SHA512
3031f3e846513aaa206bf44953169b99836d0b3ec1536378accea71aac6ce0fa3d7c8ba056680edd452a0065642fab926f0eac61a59f0bc71a5aa2b90b5ad3e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f57e742974f045b2483b310355b0c3fe

SHA1
b5257335ee4e989cc8080985990e4fcf0673ec30

SHA256
532eef6f4b8bd17640b6333a08412c4a41b6b4e6ac9acf311f5edcc39df61298

SHA512
c7d8587a2455e0c757d8e32b3db6283d1ebcfd31ed11ed96677407d7bb8577edb225a5ac2984b08f086756568a4642ee9919a5699ede9ebd9c04c7366ee4af80

Download Submit