Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-02-2024 02:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
Resource
win11-20240221-en
General
-
Target
https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1272 msedge.exe 1272 msedge.exe 2588 msedge.exe 2588 msedge.exe 4300 identity_helper.exe 4300 identity_helper.exe 4076 msedge.exe 4076 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe 2812 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe 2588 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2588 wrote to memory of 2496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 2496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 4976 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1272 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1272 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe PID 2588 wrote to memory of 1496 2588 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc571⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff893433cb8,0x7ff893433cc8,0x7ff893433cd82⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:2180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:3484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:12⤵PID:3452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:1608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11380201227993863506,15704875740075532589,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5928 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a91469041c09ba8e6c92487f02ca8040
SHA17207eded6577ec8dc3962cd5c3b093d194317ea1
SHA2560fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f
SHA512b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5601fbcb77ed9464402ad83ed36803fd1
SHA19a34f45553356ec48b03c4d2b2aa089b44c6532d
SHA25609d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15
SHA512c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD51dcb0d6009f8f9859ad9a00198f27aa5
SHA15e7ce07943ea429f4208109b7273cc0fb0c7ce2d
SHA256e0d78ea1d7526d73f7cd38212fca030e4d556f476d3ddd18cfb2df7b7a6cb65b
SHA5129afe0a921ca93f24b361cf8690e11b5a4f7b681edc92ba060c7012ac3f84cdf3bb8955dcfab6c45b20fc0c635cf8b0775fc8013535ec0f475acf17075b981a22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50c9ecbacdce190bb81692564ebb436e4
SHA1ab0dba1a4b16932a7724b3eaf983aa89750b7a0a
SHA2565b7664a8a6565e61eb17dd99ca54451e022d1999b2836ce9cfe9a855be79f133
SHA5125b39076b2cc84d4defe5e4999e790d857c41551cdbfc89725edb24ec94b9f7e4cfc1ffd3b0e832ecf0c7526fd28aa6a637077af83adb63ce435297e856ca17bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d33646cb587764678f3c6510d1f575ab
SHA1d24eda93e3aa4409494f9d950a9465edeb68ddf1
SHA256c2d1fc4c5ed0941083d5927a7d4cb306698078f4eaf5f7f9f57569ec2b660a1a
SHA5128ea605082888a18ff62557520cbbd23ca8be28393482738867c4a11b498639ebbf24b1037f573520fb80af690803a2975d4d5be63ffac74e2d1231455c556d96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59701bd09b75e2b559aa820f5c4a6166c
SHA1cf8defb2bbf1182c8e8944dbbaff60c369a15062
SHA256ca4fa47c63e4be9a07f3098fc10dab24b3706fb78767457023f229a9ba9d0dac
SHA512b353a805a267eff3aa314fb7b9628908c4b3cff096f4038941281c25910493a07955f07de8ce7a53a1ab89dad05e8a84fadd5a8deb7f28e98552a02507f3978f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54f2a7ab1c6c192aa016df948a5943903
SHA1a464bf54f6ebd7517639f607e21f34334b935915
SHA2563c93425d4ec078910b1a59744794d22c99499051807c3cb1c7fe591a04d10d4d
SHA512f07bbeea0747250509c8f2f94ee08b32534ced7a7a0b2411528e347c78cedcba954fa00b0af01a1cc009605e5cdaa277c2f37c683db3a26eb672547ce2116f9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD521f07229370498a4bd54db620c83d5a3
SHA1dd0c42a47d128b70b1092b86f90cfa6a636cc549
SHA256d14af5a4070962b984a016aead31f4b886ca49c108b5b2b2a2c3b2b59e0eac71
SHA512a467b9430457d1fe453ab515464366ea5f73845510ac656ec0edcafc1e51ac22cc45dbb113cb553bce5113cab57bd4a5d557c733a4043a2eff46b66107103271
-
\??\pipe\LOCAL\crashpad_2588_UXZSLHVCFHVILXIMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e