Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 17:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mubuenosaires.com.ar/
Resource
win10v2004-20230703-en
General
-
Target
https://mubuenosaires.com.ar/
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 api.ipify.org 30 ipinfo.io 31 ipinfo.io 33 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 2980 msedge.exe 2980 msedge.exe 4752 identity_helper.exe 4752 identity_helper.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe 3744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 576 2980 msedge.exe 71 PID 2980 wrote to memory of 576 2980 msedge.exe 71 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4004 2980 msedge.exe 83 PID 2980 wrote to memory of 4656 2980 msedge.exe 82 PID 2980 wrote to memory of 4656 2980 msedge.exe 82 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84 PID 2980 wrote to memory of 3976 2980 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mubuenosaires.com.ar/1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ef9146f8,0x7ff8ef914708,0x7ff8ef9147182⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11530371414822137120,16678891061686905314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:856
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2660
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fc99b0086d7714fd471ed4acc862ccc0
SHA139a3c43c97f778d67413a023d66e8e930d0e2314
SHA25645ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96
SHA512c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5b6d1ceca69a1784305764565655ef9f5
SHA1ce5d5be4c63499320e3adcbe09d2c4ec72e9826a
SHA256097281815c174afa33d8f61341a3efb0a064930a168d31cd6d779ad25df5e0da
SHA512482b6c671889afbd4aabaafaeb05a05380360ec1db3ec2803d4170f59ee3afc935d9c5afb8c62ec1777f2ddf7448c139c342320f82d92efaacbb95697a8eced4
-
Filesize
1KB
MD501a9aca4b599ac140ed6153aab822991
SHA11992383a7a435f666b36efb190ee8d651fc63ff3
SHA2568e346472ea4fc6583446e348c8167ba1d6a6614d4a5551311569e926f676eb14
SHA51210caaebc07a3d54a59e3eaa4a9a79736a4a203f3bdcd1365eeba49db4871e527b734df2b3b96ef5d4f893827d9ef36bb6056e257615a9ef18f4025fc8cca4a2b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5c39be4878874f4e2e445208b2160e3a5
SHA1104ed0a1fc7d73ea43d920c8afd89436c204c62a
SHA256f89d39a7fba33bcff4cf85b9a7f36723fa2fa6e5f860f6c5dedaf5d6a02f91a2
SHA5124b2de326c3cdbd3ab281c8eebe949dcbf3c3396a00d793b9a2441b14a6df3a877f5cccd13b30b1fe7db5a0e3289d4d2a6207bc34e513c45f7c148d74eb2a5755
-
Filesize
5KB
MD52e47851d72e9afe453293c6180b84dbc
SHA1752f72cbc8550f934eb5a8b1561aff6ebc7029e3
SHA256f9f2d49b83a6ccf389294cbc962f074cfa363c1a1c5cc1c188ef04743b47d679
SHA512caebe2d8543bce8f1bcab08de773b3341a2ea310db25518605c59730ccdedc24022808be92411de24525c63c154f802d55b5e4a8709f372b717e71146d3cc38f
-
Filesize
24KB
MD596f00bbd6a174879c58220f95f0115f5
SHA1d3d7f82b0bf27daf1b3903bfe050c2d05422050f
SHA256644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107
SHA512e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52554f4f2aca63694218cfff047618bd7
SHA14ff0f395f316809567fabc9ec98f5ff9eba77d18
SHA256ffa3b30394e668aa3965cad8f327d2b761233570a7ebde5bd8f99ab4c0b239ad
SHA51254a338bd6769f13d7b575f5a28c3a3622a807782d16c6268368d8168d686eda4d0530104796e5a1287dd1f8edf84fb3b84052ef9012c323589940b167ee61c29