hxxps://penca-cbd8[.]ilodnswfalen[.]workers[.]dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57

Analysis

max time kernel
146s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-02-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1272	msedge.exe
1272	msedge.exe
2588	msedge.exe
2588	msedge.exe
4300	identity_helper.exe
4300	identity_helper.exe
4076	msedge.exe
4076	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe
2588 msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2588 wrote to memory of 2496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 2496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 4976	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1272	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1272	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe
PID 2588 wrote to memory of 1496	2588	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff893433cb8,0x7ff893433cc8,0x7ff893433cd8
2⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
2⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
2⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5928 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
1dcb0d6009f8f9859ad9a00198f27aa5

SHA1
5e7ce07943ea429f4208109b7273cc0fb0c7ce2d

SHA256
e0d78ea1d7526d73f7cd38212fca030e4d556f476d3ddd18cfb2df7b7a6cb65b

SHA512
9afe0a921ca93f24b361cf8690e11b5a4f7b681edc92ba060c7012ac3f84cdf3bb8955dcfab6c45b20fc0c635cf8b0775fc8013535ec0f475acf17075b981a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
0c9ecbacdce190bb81692564ebb436e4

SHA1
ab0dba1a4b16932a7724b3eaf983aa89750b7a0a

SHA256
5b7664a8a6565e61eb17dd99ca54451e022d1999b2836ce9cfe9a855be79f133

SHA512
5b39076b2cc84d4defe5e4999e790d857c41551cdbfc89725edb24ec94b9f7e4cfc1ffd3b0e832ecf0c7526fd28aa6a637077af83adb63ce435297e856ca17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d33646cb587764678f3c6510d1f575ab

SHA1
d24eda93e3aa4409494f9d950a9465edeb68ddf1

SHA256
c2d1fc4c5ed0941083d5927a7d4cb306698078f4eaf5f7f9f57569ec2b660a1a

SHA512
8ea605082888a18ff62557520cbbd23ca8be28393482738867c4a11b498639ebbf24b1037f573520fb80af690803a2975d4d5be63ffac74e2d1231455c556d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9701bd09b75e2b559aa820f5c4a6166c

SHA1
cf8defb2bbf1182c8e8944dbbaff60c369a15062

SHA256
ca4fa47c63e4be9a07f3098fc10dab24b3706fb78767457023f229a9ba9d0dac

SHA512
b353a805a267eff3aa314fb7b9628908c4b3cff096f4038941281c25910493a07955f07de8ce7a53a1ab89dad05e8a84fadd5a8deb7f28e98552a02507f3978f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4f2a7ab1c6c192aa016df948a5943903

SHA1
a464bf54f6ebd7517639f607e21f34334b935915

SHA256
3c93425d4ec078910b1a59744794d22c99499051807c3cb1c7fe591a04d10d4d

SHA512
f07bbeea0747250509c8f2f94ee08b32534ced7a7a0b2411528e347c78cedcba954fa00b0af01a1cc009605e5cdaa277c2f37c683db3a26eb672547ce2116f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
21f07229370498a4bd54db620c83d5a3

SHA1
dd0c42a47d128b70b1092b86f90cfa6a636cc549

SHA256
d14af5a4070962b984a016aead31f4b886ca49c108b5b2b2a2c3b2b59e0eac71

SHA512
a467b9430457d1fe453ab515464366ea5f73845510ac656ec0edcafc1e51ac22cc45dbb113cb553bce5113cab57bd4a5d557c733a4043a2eff46b66107103271

Download Submit
\??\pipe\LOCAL\crashpad_2588_UXZSLHVCFHVILXIM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit