hxxp://geolia[.]blogsite[.]xyz

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-es
resource tags

arch:x64arch:x86image:win10v2004-20231023-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06/11/2023, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://geolia.blogsite.xyz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133437467923129012"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4036	chrome.exe
4036	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 2408	4184	chrome.exe	45
PID 4184 wrote to memory of 2408	4184	chrome.exe	45
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 2224	4184	chrome.exe	87
PID 4184 wrote to memory of 1508	4184	chrome.exe	86
PID 4184 wrote to memory of 1508	4184	chrome.exe	86
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88
PID 4184 wrote to memory of 2560	4184	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://geolia.blogsite.xyz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeedb39758,0x7ffeedb39768,0x7ffeedb39778
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:2
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2924 --field-trial-handle=1996,i,9307310775201507627,15262512699774214842,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a3a3e0b500bff6c2aab994bb1d0acf48

SHA1
f1130d9b2848e25187ce09ab67941c2e4cd9c830

SHA256
f4f43ef3e7d4e1eea9032e525949bd5dd6fbdab163cf6bd7bba32e222b9c992e

SHA512
129f28de96b461dd4ee3efa55c69e554dc0c7ae2f073b21f504a1a535e37941c2a82c1d04d94fe1d08f370655da137c92168712a48e8e483626d517fa638541e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f6a30f470a0e40a6a7cc29474b0b68ad

SHA1
f55cb121ca1c6481afaee7d90cc441637013238e

SHA256
dc9303a29b2839362dc2cec4c260999ea19c8119f7c54379cb2cf6c60c388ff8

SHA512
ca5234611b48150c3c9baf308a14d5077b6754e7123b84c998af7138cfa0b81a81867df767822c7a2350cb34938f528984d93024bf02ed905eaa9f146d7ffd29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
c5fa0494e7d26e10754f331243917f7a

SHA1
639d27ecafa7b4792e31dede18f63c227a99b393

SHA256
5b27c7188cf3f37b4ada8dcc7b7bd90ee7e51a45dbd81d69ee63edbc1d4fde4c

SHA512
bca0437319721c991374d2012dba5f1e8d62eb18893f48845c5110efeb732ca782bedd108a180effb00400dd2cd4a1962286f3b676988c679c38977f29b5b993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1cab6a6fd1683826facbfceab4e0e78e

SHA1
806bf49ffeb0e64da2770a96a45d73a436fef89a

SHA256
e9d24f0df34133c1c7ffff35d14f837c0cd493683baa7dfe37eecb571ce2548a

SHA512
82ee5680466e9a80a24d15b58018cf5d6c8b86929c2c79271b3c87546dabc97ce5d21d80473264437d01633ecebc286816ecb25ac83251b6b7948b5257531c01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8a045e73ad7c1076079f389e7fe59713

SHA1
3e1ee85df8afbc62d3f13736245ccde3cc788275

SHA256
0587288d73388a8c46115e96b5160463149b7641095056db4abd7b72fbfd5a47

SHA512
beacb13475a8d6533964366f783ea8825b52afc455d6584f02914140daba6744c290c42ca5ae13a2487cbb628f5ac2f40bf25b5653a0a3af6d348dd2b338d5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7e558959ce1e6c24be7253f9af459cb7

SHA1
b5aeb9dd3e67bf898fc109bb74c46d1f0d96d8eb

SHA256
5799b2dd4fd40559537aea5fb8410efeaa71f69c5dcea46ac432bb19a160e9c6

SHA512
840333024dc83e02cd0cdf2dced89a23369b456783612deb8694aec93d3f1b085c50fac17eb4165243bc226d029653d8b7916d5149785324819a6890a2253f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
2349e9a6d0cb745968eab2df416b50e7

SHA1
b31e3d7baa52822e0b79d53bd11495358c3cfcdb

SHA256
b3d9134d8c2e8916347b92f683051d729de8a319d581ae26c0087c9a57371c99

SHA512
871bbb7cb9235ce738a2301950cd7ec651cf6b89298674798f4da416c83a1604d19379ba658ba22a80640fe8f502cf39757edb6ef9f8744cf70d72671ccadcc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit