Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

2e5e90cef2...6c.exe

windows7-x64

7

2e5e90cef2...6c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2023, 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e5e90cef27a4c329da342d770e4a373ef3c34c0daf2ef95663b57ae021c336c.exe

  • Size

    3.4MB

  • MD5

    f5f581d47c4a59feac8dace6a3265d79

  • SHA1

    42f8eb572fd2498afd9e555ba742584cba3d7bfe

  • SHA256

    2e5e90cef27a4c329da342d770e4a373ef3c34c0daf2ef95663b57ae021c336c

  • SHA512

    bf48f0a7cd1c79759e26b4730bf7b438098db4c8976e1a4586b68addd8cc7f6f4ae471dfd932f683b5062902fedb5d46a6bfa5e0cb87a9922fb5a3e389939402

  • SSDEEP

    98304:J9BZ5CxThkZ7Y6IDX0yrNt+1MN2vsfEunH39hLGPCfIBU/:lCfGrIDQeWWNhxZ/

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e5e90cef27a4c329da342d770e4a373ef3c34c0daf2ef95663b57ae021c336c.exe
    "C:\Users\Admin\AppData\Local\Temp\2e5e90cef27a4c329da342d770e4a373ef3c34c0daf2ef95663b57ae021c336c.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      Installer.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe
        "C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe" /show
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    Filesize

    2.9MB

    MD5

    dcb050a81038862531cf2e23a095dbd0

    SHA1

    3340822daaacb341a036a062503db2691f652559

    SHA256

    3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c

    SHA512

    5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    Filesize

    2.9MB

    MD5

    dcb050a81038862531cf2e23a095dbd0

    SHA1

    3340822daaacb341a036a062503db2691f652559

    SHA256

    3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c

    SHA512

    5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Base.dll
    Filesize

    109KB

    MD5

    fd61805e8200204a2e0ec9b627ec8677

    SHA1

    05e47dbd066c5f50149b09429e751214907acf9c

    SHA256

    05aea02b7cc024c4aed04c7418894f4e287faf8ccb349bcf4dd4706d5df74dd2

    SHA512

    c8274dbd66084341fa678e57d6178ced11cd6e5db0c27b9c95063e554f672635d2e6fef2d0424be529a3096c15a73ce09d76c6e50efcb011137653928f21a566

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Microsoft.Bcl.AsyncInterfaces.dll
    Filesize

    20KB

    MD5

    1ee251645b8a54a116d6d06c83a2bd85

    SHA1

    5dbf1534ffbff016cc45559eb5eff3dc4252a522

    SHA256

    075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

    SHA512

    9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Microsoft.Diagnostics.Runtime.dll
    Filesize

    490KB

    MD5

    5dfb71a97b10d00dea71f443fdfd732f

    SHA1

    c7d9b0f37bf40a4677e243a4d16454f3475853a2

    SHA256

    d9ecb8cd1ac822a14e65f7c7f5f3fcb262fa23fb7c721a59321bdb467bcbad14

    SHA512

    8e84b1d442e11a5b6c16efe0cd44bc0f27bfd141a7b812ce2e32b3cc0697d8f9b2155bb60ee48934b4a907c2abd181bdcafa5d7bf4ac4dec91120733428d6eba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Buffers.dll
    Filesize

    20KB

    MD5

    ecdfe8ede869d2ccc6bf99981ea96400

    SHA1

    2f410a0396bc148ed533ad49b6415fb58dd4d641

    SHA256

    accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

    SHA512

    5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Collections.Immutable.dll
    Filesize

    184KB

    MD5

    c598080fa777d6e63dfd0370e97ec8f3

    SHA1

    9d1236dcfb3caa07278a6d4ec751798d67d73cc2

    SHA256

    646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c

    SHA512

    8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Memory.dll
    Filesize

    137KB

    MD5

    6fb95a357a3f7e88ade5c1629e2801f8

    SHA1

    19bf79600b716523b5317b9a7b68760ae5d55741

    SHA256

    8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

    SHA512

    293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Net.Http.dll
    Filesize

    193KB

    MD5

    665e355cbed5fe5f7bebc3cb23e68649

    SHA1

    1c2cefafba48ba7aaab746f660debd34f2f4b14c

    SHA256

    b5d20736f84f335ef4c918a5ba41c3a0d7189397c71b166ccc6c342427a94ece

    SHA512

    5300d39365e84a67010ae4c282d7e05172563119afb84dc1b0610217683c7d110803aef02945034a939262f6a7ecf629b52c0e93c1cd63d52ca7a3b3e607bb7d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Numerics.Vectors.dll
    Filesize

    113KB

    MD5

    aaa2cbf14e06e9d3586d8a4ed455db33

    SHA1

    3d216458740ad5cb05bc5f7c3491cde44a1e5df0

    SHA256

    1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

    SHA512

    0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Runtime.CompilerServices.Unsafe.dll
    Filesize

    16KB

    MD5

    9a341540899dcc5630886f2d921be78f

    SHA1

    bab44612721c3dc91ac3d9dfca7c961a3a511508

    SHA256

    3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

    SHA512

    066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Text.Encodings.Web.dll
    Filesize

    66KB

    MD5

    e8cdacfd2ef2f4b3d1a8e6d59b6e3027

    SHA1

    9a85d938d8430a73255a65ea002a7709c81a4cf3

    SHA256

    edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

    SHA512

    ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Text.Json.dll
    Filesize

    347KB

    MD5

    38470ca21414a8827c24d8fe0438e84b

    SHA1

    1c394a150c5693c69f85403f201caa501594b7ab

    SHA256

    2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

    SHA512

    079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Threading.Tasks.Extensions.dll
    Filesize

    25KB

    MD5

    e1e9d7d46e5cd9525c5927dc98d9ecc7

    SHA1

    2242627282f9e07e37b274ea36fac2d3cd9c9110

    SHA256

    4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

    SHA512

    da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.ValueTuple.dll
    Filesize

    77KB

    MD5

    8c9424e37a28db7d70e7d52f0df33cf8

    SHA1

    81cd1acb53d493c54c8d56f379d790a901a355ac

    SHA256

    e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

    SHA512

    cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe
    Filesize

    680KB

    MD5

    90dcd050ed61796a43c6ebf3727f0837

    SHA1

    fdd234d03ee8d65592d36d638c37ad52e7816a13

    SHA256

    ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

    SHA512

    026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe.config
    Filesize

    18KB

    MD5

    e3f86e44d1997122912dd19c93b4cc51

    SHA1

    55a2abf767061a27d48fc5eda94ba8156add3e81

    SHA256

    8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

    SHA512

    314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\traffmonetizer\app\Traffmonetizer.exe
    Filesize

    680KB

    MD5

    90dcd050ed61796a43c6ebf3727f0837

    SHA1

    fdd234d03ee8d65592d36d638c37ad52e7816a13

    SHA256

    ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

    SHA512

    026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

    Download Submit

  • C:\Users\Admin\AppData\Roaming\traffmonetizer\app\Traffmonetizer.exe
    Filesize

    680KB

    MD5

    90dcd050ed61796a43c6ebf3727f0837

    SHA1

    fdd234d03ee8d65592d36d638c37ad52e7816a13

    SHA256

    ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

    SHA512

    026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

    Download Submit

  • C:\Users\Admin\AppData\Roaming\traffmonetizer\settings.json
    Filesize

    97B

    MD5

    530393bfb491618278e3a6b2d2c386fe

    SHA1

    02f5d9a69415edf929474446b64074aae2b112d5

    SHA256

    0af9cb0f5729a2a5393fd17fb98b59408a7b37a1c4692712dd6bcf7cb94fdd0e

    SHA512

    6f5c764fd902903110703c679298befdff62b27763359549377b210d0dd927bcb36471031091ba9f2cea02d2c04c04c1b68f31bad46d7e6a13ae6b78ffe31040

    Download Submit

  • memory/452-141-0x0000026653040000-0x0000026653052000-memory.dmp

    Filesize

    72KB

    Download

  • memory/452-144-0x0000026653420000-0x0000026653432000-memory.dmp

    Filesize

    72KB

    Download

  • memory/452-137-0x0000026634D80000-0x0000026635064000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/452-138-0x0000026635470000-0x0000026635480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/452-139-0x0000026635470000-0x0000026635480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/452-140-0x0000026635470000-0x0000026635480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/452-260-0x0000026653490000-0x00000266534AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/452-259-0x00000266534C0000-0x0000026653536000-memory.dmp

    Filesize

    472KB

    Download

  • memory/452-142-0x00000266530A0000-0x00000266530DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4196-302-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-288-0x00000169AC200000-0x00000169AC216000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4196-290-0x0000016991520000-0x0000016991528000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4196-294-0x00000169AC340000-0x00000169AC35E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4196-281-0x00000169AC190000-0x00000169AC1EA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4196-278-0x00000169914A0000-0x00000169914BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4196-286-0x00000169914C0000-0x00000169914CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4196-297-0x00000169AC3F0000-0x00000169AC422000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4196-300-0x00000169AC3C0000-0x00000169AC3CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4196-292-0x00000169AC220000-0x00000169AC234000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4196-298-0x00000169AC3B0000-0x00000169AC3BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4196-303-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-304-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-305-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-306-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-307-0x00000169AC1F0000-0x00000169AC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4196-276-0x0000016991080000-0x000001699112C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/4196-310-0x00000169AFAD0000-0x00000169AFB4E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4196-312-0x00000169AD130000-0x00000169AD162000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4196-284-0x00000169AC160000-0x00000169AC186000-memory.dmp

    Filesize

    152KB

    Download