Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-03-2024 23:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
Resource
win11-20240221-en
General
-
Target
https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc57
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2920 msedge.exe 2920 msedge.exe 2752 msedge.exe 2752 msedge.exe 2584 identity_helper.exe 2584 identity_helper.exe 4376 msedge.exe 4376 msedge.exe 4084 msedge.exe 4084 msedge.exe 4084 msedge.exe 4084 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2752 wrote to memory of 4580 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 4580 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 3748 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 2920 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 2920 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 232 2752 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://penca-cbd8.ilodnswfalen.workers.dev/fa0ddc1a-42fe-48d7-9c38-0e515868fc571⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f2b43cb8,0x7ff8f2b43cc8,0x7ff8f2b43cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8956906726773646501,11688160034463792361,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5208 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a91469041c09ba8e6c92487f02ca8040
SHA17207eded6577ec8dc3962cd5c3b093d194317ea1
SHA2560fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f
SHA512b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5601fbcb77ed9464402ad83ed36803fd1
SHA19a34f45553356ec48b03c4d2b2aa089b44c6532d
SHA25609d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15
SHA512c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD580fcebdeb35229e32ad9c8f10333d1c5
SHA13a421153aa7284d5d10816bd21ebce88b1f7f8e3
SHA256ff87b6f6348c8b3aabf0ae43c0ddef30022b721117befa8f667fac17fe4dd820
SHA512e0c79789833e3873ba7e91ad7e178c975454551b3db565be1ac9751eab8f9e865e4b70e1d90458849b2e8a3c1bf7834f7db96e5ffd07c51490d6b889534a4c94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD539308e418ac4797b297f54ecdce4bef7
SHA1b93bbafa0ac3992daf04e3a8c9e531489a473acb
SHA2565f60ea6a640bc68cc0306afa48582163dca18ebfd56eb47ac867bccf5d203d44
SHA5124d113d5cc1c6cd532252723f97d53df6b849b66e69fb037d0eb4dcb288202c69e43f5ec60d936c859d3ec751ea9deb1ae2c9912cdfd27249bd02d7c70db4b15c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58f4e673c11956e0bc4feaf3a7ffe53cd
SHA10177bfcbe2655e731a6d46b134d651f1b3baa1d1
SHA256e33573c70cc3e7904a9ec98b800a0718a8e31361d075419c9d9bffff938aa6e0
SHA512e6de42d1f5c66974045a2cc60e84496b736f8b7dc4a2c13641df9e4d454eb6e99f44c8df42f6daadf35b885911b371b103d1f2663f3ff48205f7ff54116e48de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD525ecac77b206b82bb96aeb2d49c7980d
SHA12adf7bfc050ff8501867f14e5b2b6fb25a56b695
SHA256f5396042cd9c0e99a89a44461e9252af8d2736bb4d9e77c4546a0663a940858d
SHA51295cc359e699c575da9f78eb5e0a625ed0a6b60459a3bc07d43a7b4e39d20e252accf34faf6a5c2f98ca129fa08efd37107a64df760d1ab542495d7a0b9cc8f74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
874B
MD5db8df41843b7ccf55aad00f37af0e2f5
SHA14d4d782da488a517ca44a2fee705a76d0a9351f3
SHA2568c11171cae7c4f29449bba591241598d8d675a5a653ab805adac3f0afe163e44
SHA5122afcc1b8aefa49059d846d0a25fcdcc5c8bcb3af82e7dae12d51667c83bf8dcd0ad865fd8fc6675facfa41ac19facef21e26d591fca407b79592205729ac0b37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582277.TMPFilesize
706B
MD5bb5efbc59f4bb40c079c65c9a1a5f9a1
SHA19bd5a5a5b58caea622425f9c349c01938c60a158
SHA25679d45281ab92af8d629117f78a51fde5c46af05c78cf868a4cdf59bf59d65460
SHA51225cf15cb0004429dae5c032f0eb4e03063e04d811f0f012ccab35fccad1a50adfb4be63f73a9840ca1662084dfc3408426595b1d17b2f7561dae0d023c09ec13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54208a0b75fd0b87f5eba7d75d9c8959e
SHA1257230b736f8d668ed08ecd3d0e8ddd335fc442c
SHA256bf3093327a9573ad49e7e6cd576e024660b393cb654eb240928e6e5f831afbaf
SHA512d18bafccff567650238ddf1a3aab961f54756b62c12a4241bec6b05f731d66168ffb0b922dd3aba284d125b670c6c63cfad5305b6bd09540fb832d42751a86d0
-
\??\pipe\LOCAL\crashpad_2752_LFPVFVXUSQHHXQJFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e