hxxps://gps[.]geoaustralchile[.]cl

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gps.geoaustralchile.cl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
2372	msedge.exe
2372	msedge.exe
1592	identity_helper.exe
1592	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3944	2372	msedge.exe	47
PID 2372 wrote to memory of 3944	2372	msedge.exe	47
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 3392	2372	msedge.exe	85
PID 2372 wrote to memory of 4912	2372	msedge.exe	86
PID 2372 wrote to memory of 4912	2372	msedge.exe	86
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87
PID 2372 wrote to memory of 1868	2372	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gps.geoaustralchile.cl
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffb5f5e46f8,0x7ffb5f5e4708,0x7ffb5f5e4718
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10281108198236132330,11818472779492199337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d668499-cbd9-42bd-8299-6b9ad7dec077.tmp

Filesize
5KB

MD5
ca1240f4d584a202b11a3b186fdee15a

SHA1
f8838391a65bce2853ee02de1def4d42e8a989df

SHA256
0f6e1afaf80cf3f000726330549db57dcc6b3c6aad95aaad30e7070c4cec03b8

SHA512
fbce6b7509a293b579f896130eacd8940c74fef32c93e3aa651a92cb363c723fc1919e5691b99bafc730d0d1a6e94df21b9e163b1c375fdd6705cf40abc54308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
eef186d2776b0f2cd078e3f342b82b15

SHA1
d45e5b1116dc1a5993db7a2b6330b922f7f634cc

SHA256
71927ca18be4d0333c913d3db4656f957af0ff62c4c7947236a21a637c53289b

SHA512
6273f2dc66b66738ed7d1af45fa1dfd4a5cad71bff6b9acfe128228688f654c06bb4c4d705a03e78e5593ea209549239530f0ef1d12f5aaaea4827160243aac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
440d98b91832496a17263022822f10a8

SHA1
87853ed1925ff3546f1046bfc3addcd9f89d7e84

SHA256
856cc58584823237c3c88a828e05560aa166e22b7f770256aace1fa368e8fbd0

SHA512
88d00759be1d812dbb1482d25c484d3e1b909e6736d7858d69ca166092f5f3d5e6d035e4809a6ee6ccc4722fb650b53a8963cda310f0d109f7fe1211de96a6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2c6c0f4f62e2e59dba5c2a26bd1d47a

SHA1
43042366023bd2c2092a71a0f9576c52cdecdf6a

SHA256
34270770fcd74aed7363cf5743d696f4e66120ab19b26eefbf631b3a108a3e4d

SHA512
88c7b3f221f48e854249c200411595d0fdc2dd16ef00dce2f915540a38b9357a4799b203edbeda42647691b94bcca2a561d10c423898b6fbc554e929d69f09af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4b781306eef375e7a60cf1e186ae3d54

SHA1
e9d718868bb4f5bdeb1658da532477159c9e11d0

SHA256
2171b47efeb585994751e106a8014a21fe355109b7de1d032cd7190242e59a4c

SHA512
aa738ade4ba51982fec15d6da8368be77491c0d220b0b0340af52626f6b18478842705472d4fb18d61de9a39e21d5a7e70b53ccc63617ff3147ee9d5a05423dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2a3f44a34b6fe1c270aeb435b9262070

SHA1
d81e29e085d4cdac042274a1b2f60cd7be50222b

SHA256
64fc664a6abc631c0107387799d343d81b4c1a3eb220ca4be1863a56902c9df9

SHA512
d99466230ad75316a459c4d3f1c1fe7235360f5649745aa2e69b40947fbc18360d64b0c87359e1713cd8cc5dcaabe75293b545002a84be8ec6841bc9b1167c8e

Download Submit