hxxps://picoyplacasolidario[.]movilidadbogota[.]gov[.]co/PortalCiudadano/#/detallesSolicitud/seleccionar

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://picoyplacasolidario.movilidadbogota.gov.co/PortalCiudadano/#/detallesSolicitud/seleccionar

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2700	msedge.exe
2700	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe
2700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2220	2700	msedge.exe	82
PID 2700 wrote to memory of 2220	2700	msedge.exe	82
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 4756	2700	msedge.exe	83
PID 2700 wrote to memory of 2728	2700	msedge.exe	84
PID 2700 wrote to memory of 2728	2700	msedge.exe	84
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86
PID 2700 wrote to memory of 4188	2700	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://picoyplacasolidario.movilidadbogota.gov.co/PortalCiudadano/#/detallesSolicitud/seleccionar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc140046f8,0x7ffc14004708,0x7ffc14004718
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15444900690270005886,11467187053185923520,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\98f2a5f8-6fd3-4b4a-900d-600ec69ce2cf.tmp

Filesize
10KB

MD5
bbb4e8bdd51a6615862393cb96ac2919

SHA1
9cd2bd28802e0f9fda19adce068946b801735c7e

SHA256
5ea5843343a130747c1fb80760b55aecf03cee1c9671ffa20580d273975ab999

SHA512
5789bd768d0b1db4ccb4c35ac0d9b14e113e6aef3fb6aa6e0d797c06f1052a4cc179ac8f8616452a03967e3101b422e552386e9c7f43d5f85c856082f72b1615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d25fc6e43a16159ebfd161f28e16ef7

SHA1
49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

SHA256
cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

SHA512
ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
183KB

MD5
7f529c2ef4e90c2fe7b09ada4f85f4f1

SHA1
58b9e4de7b4a1e549a17cb471541ed330a61781b

SHA256
2ebaeac31ed41fbe24fc07bc3b0fb4043422a790e356a5f38c82b125e3451827

SHA512
bcf6ee7711e5dbf1943dcd133e675006d574e3959761cb1007e69b8299c5d3a8435324427b402f65b0feb3374b625e2959fcb321b67ddbaae36c5ffcb74dcd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
18e0e566e9ee37d8ec7d36727487a641

SHA1
2720bb6894b7c6a01199dba10377eb28d34062cc

SHA256
a416ced6db35b89af0af6274fe9e752ccc9727cb98464ea60d4713ad7d8bed73

SHA512
b782618899731b91e79abda8f82a38ed5ce431fabaa6ca1da217bbcea77a8c79377222dabc70622351d543630a84a802f22a727452f40f88da82c166fbfc7ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
973a80b73812b482b8ac794de8a5d485

SHA1
495667556df1fbb7f03142289baebb566a6e708b

SHA256
a86680d5151945df74fec69b8975c73d4295dd6d77cd23d3c9119b37ca1e1c9b

SHA512
3f59f78dd7f1c1fcb5ec18d28af5801a62961836f6332afa8b0608ad001b5149902d18d613dd59a48d7fc147e7c111bf9f2b2603b0394b4f45e26d6dc653e9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0bbc2db28081d83ab9b26a62e6337c16

SHA1
be519bb04cd9d44eeb3f1dc691948c0c77e7632c

SHA256
8976aab67a7358950b7b4c30da18260774e0ada9739966d35e9d37a1e9d5cf19

SHA512
7fa6e62710c6a8302e111d94e62e43fbecf95d523f9133af6680764df8a269fa37160dadc9d80e8c8d0f62c07c59c6daeb549d8808c0148738172da42b5b1197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb4a407771b9952e351f283eb9e574d1

SHA1
718d6d67b504e42c4c2754d52191ea110fa85003

SHA256
d4ebd14b72b079be4b78108443c5cdca57a581c57c7de625e46aa2e6f97e7320

SHA512
34c769ddebb4c4af4d76a497873c4353191a90ac12f657ceb0a0452e6e3125e18c7195c3e459a648440c09224b27e0065f0d3fadc959511a4f5d811556ced594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d555d038867542dfb2fb0575a0d3174e

SHA1
1a5868d6df0b5de26cf3fc7310b628ce0a3726f0

SHA256
044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e

SHA512
d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit