hxxps://penca-cbd8[.]ilodnswfalen[.]workers[.]dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57

Analysis

max time kernel
150s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4028	msedge.exe
4028	msedge.exe
4888	msedge.exe
4888	msedge.exe
5060	identity_helper.exe
5060	identity_helper.exe
3060	msedge.exe
3060	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4888 msedge.exe
4888 msedge.exe
4888 msedge.exe
4888 msedge.exe
4888 msedge.exe
4888 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4888 wrote to memory of 4444	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4444	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4660	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4028	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 4028	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe
PID 4888 wrote to memory of 1476	4888	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0b153cb8,0x7fff0b153cc8,0x7fff0b153cd8
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
2⤵
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,4180106387140203759,6755781880876897586,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4920 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
a25976048aa753630ca410d6edb414ba

SHA1
d01e1627a6cf70e304e56d33e5f12fc704e5f51a

SHA256
30310c90e85cb29fb3d09a44972fd58113d5de0a7a1ade27c1edf152e1b0e7fc

SHA512
00a68b487a39ade5bf6b0b9bde45bbcfeecc8c4b19aa8e379f6ab7aeba39098a6262dd54fc613a234a7773926af01780691011fab2ffc9571570eb9626fe17ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
0018128461b9cf330d8e2943acf90d62

SHA1
f302cb83dfcae2025bffea113d3a8e8f5aef3b7c

SHA256
494e0b78109cb5e809c6542b93f452afa988e59e0d59663343a3a9b0146f920e

SHA512
7e5d3901367fb58b5005a28d8e51b11b54a80dfdc4c2f5e7b87d10d5688bb2852236f721038e2fddcbf8d03d6fa8e5eb5982eebb509b589c92503599c2b36adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3e4b33ca082050ecf64c61be26ea1f39

SHA1
2b10fca7dd20835a570c05ea9001165200a0707c

SHA256
a3792f8a42058c79cc7e56ef18f01384f1dce0cb3f326106409fe5d640e9efb1

SHA512
cea3b64262056a7cc63f3c32995e4119c0c3df681cd9da78fdd635fca691a7941bf33e36c076ce5ec4959f634d44d853c39909b50dac69961d4c0a8e33cf14f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a482aee245ec1789868a23d8d745cc7a

SHA1
16a643fab85ddbd702e5e0f7d752f18f9a0aeab7

SHA256
c3e1451014d6fe713b4e6567f4d4f845a7c1c05738ffa5b08e0262eb82d3489a

SHA512
ca0d15baf8f3f292b62982288e2f555ef1af755c2d650a2b55decd093d2ea02aff6e84237f8e6e10c7f3a5d3b275127de764d8d6ee271c705499de80c31dba7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b3d7ee915a18683bc5b2b455cf18fb02

SHA1
259a60f05f9b07f3219cb784a001e9d9c34db72b

SHA256
5b93922ef2546c01c08c12496d97eebaf7ae7690ec46e4a0856df595244481aa

SHA512
1647c5d99d27a0e0cb8f36a951d3803c325540354c5a5c150d6490da363b235ecb7f963910f348326558037b41e865744be8acb16e46eea0e5b7882e6f8df7f2

Download Submit
\??\pipe\LOCAL\crashpad_4888_OKTOGTPULINSKUGQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit