b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39

Analysis

max time kernel
128s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe
Size

3.4MB
MD5

e32a809a7bd40262fa4ed5294dbf6f55
SHA1

87e9a09b1073da38f8509ceecdce051e96284ade
SHA256

b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39
SHA512

4ea78e0bd8d13a818d0d6d9fb29fb2d1d7272de9dee0e7fe6a3538d942039d7c8ec864f8125f745a31c492be2628f332849e57274406042c3fb0aa91952239c9
SSDEEP

98304:J9BZ5CxThkZ7Y6IDX0yrNt+1MN2vsfEunH39hLGPCfIBUR:lCfGrIDQeWWNhxZR

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 2 IoCs

pid	Process
748	Installer.exe
4848	Traffmonetizer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Traffmonetizer = "C:\\Users\\Admin\\AppData\\Roaming\\Traffmonetizer\\app\\Traffmonetizer.exe"	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe
748	Installer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	Installer.exe
Token: SeDebugPrivilege	4848	Traffmonetizer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	Traffmonetizer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4848	Traffmonetizer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1500	b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe
1500	b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 748	1500	b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe	85
PID 1500 wrote to memory of 748	1500	b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe	85
PID 748 wrote to memory of 4848	748	Installer.exe	89
PID 748 wrote to memory of 4848	748	Installer.exe	89

C:\Users\Admin\AppData\Local\Temp\b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe
"C:\Users\Admin\AppData\Local\Temp\b24de39de0678c69bf7fa48d1efc4fdb3cc44c194d3f199a0eeef5a72576af39.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  Installer.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe
    "C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe" /show
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
2.9MB

MD5
dcb050a81038862531cf2e23a095dbd0

SHA1
3340822daaacb341a036a062503db2691f652559

SHA256
3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c

SHA512
5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
2.9MB

MD5
dcb050a81038862531cf2e23a095dbd0

SHA1
3340822daaacb341a036a062503db2691f652559

SHA256
3c49e41f4e9be499f026246d0f28a6ee6649ebb12d91ad7ef5a3932a21e5842c

SHA512
5a26a7ae54b08acd2024c16ea7e27a12f4bd5a047d6eef5bf944678faa4c2edc3ca9d6e251107793f908245123ab70d1c73296797cb0c1fb47a265fd4b591cea

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Base.dll

Filesize
109KB

MD5
fd61805e8200204a2e0ec9b627ec8677

SHA1
05e47dbd066c5f50149b09429e751214907acf9c

SHA256
05aea02b7cc024c4aed04c7418894f4e287faf8ccb349bcf4dd4706d5df74dd2

SHA512
c8274dbd66084341fa678e57d6178ced11cd6e5db0c27b9c95063e554f672635d2e6fef2d0424be529a3096c15a73ce09d76c6e50efcb011137653928f21a566

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
20KB

MD5
1ee251645b8a54a116d6d06c83a2bd85

SHA1
5dbf1534ffbff016cc45559eb5eff3dc4252a522

SHA256
075ce79e84041137c78885b3738c1b5a03547d0ae2a79916e844196a9d0ec1db

SHA512
9f67fd0566eac2da4253d08697daab427e4e85780615d940f086a88424dcbb0563abae7e4824088e64ef7024c1bb3bbf324f2d07bc7ba55f79e4af3c9ea88e97

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Microsoft.Diagnostics.Runtime.dll

Filesize
490KB

MD5
5dfb71a97b10d00dea71f443fdfd732f

SHA1
c7d9b0f37bf40a4677e243a4d16454f3475853a2

SHA256
d9ecb8cd1ac822a14e65f7c7f5f3fcb262fa23fb7c721a59321bdb467bcbad14

SHA512
8e84b1d442e11a5b6c16efe0cd44bc0f27bfd141a7b812ce2e32b3cc0697d8f9b2155bb60ee48934b4a907c2abd181bdcafa5d7bf4ac4dec91120733428d6eba

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Collections.Immutable.dll

Filesize
184KB

MD5
c598080fa777d6e63dfd0370e97ec8f3

SHA1
9d1236dcfb3caa07278a6d4ec751798d67d73cc2

SHA256
646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c

SHA512
8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Net.Http.dll

Filesize
193KB

MD5
665e355cbed5fe5f7bebc3cb23e68649

SHA1
1c2cefafba48ba7aaab746f660debd34f2f4b14c

SHA256
b5d20736f84f335ef4c918a5ba41c3a0d7189397c71b166ccc6c342427a94ece

SHA512
5300d39365e84a67010ae4c282d7e05172563119afb84dc1b0610217683c7d110803aef02945034a939262f6a7ecf629b52c0e93c1cd63d52ca7a3b3e607bb7d

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Text.Encodings.Web.dll

Filesize
66KB

MD5
e8cdacfd2ef2f4b3d1a8e6d59b6e3027

SHA1
9a85d938d8430a73255a65ea002a7709c81a4cf3

SHA256
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30

SHA512
ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Text.Json.dll

Filesize
347KB

MD5
38470ca21414a8827c24d8fe0438e84b

SHA1
1c394a150c5693c69f85403f201caa501594b7ab

SHA256
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c

SHA512
079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\System.ValueTuple.dll

Filesize
77KB

MD5
8c9424e37a28db7d70e7d52f0df33cf8

SHA1
81cd1acb53d493c54c8d56f379d790a901a355ac

SHA256
e4774aead2793f440e0ced6c097048423d118e0b6ed238c6fe5b456acb07817f

SHA512
cb6364c136f9d07191cf89ea2d3b89e08db0cd5911bf835c32ae81e4d51e0789ddc92d47e80b7ff7e24985890ed29a00b0a391834b43cf11db303cd980d834f4

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe

Filesize
680KB

MD5
90dcd050ed61796a43c6ebf3727f0837

SHA1
fdd234d03ee8d65592d36d638c37ad52e7816a13

SHA256
ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

SHA512
026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

Download Submit
C:\Users\Admin\AppData\Roaming\Traffmonetizer\app\Traffmonetizer.exe.config

Filesize
18KB

MD5
e3f86e44d1997122912dd19c93b4cc51

SHA1
55a2abf767061a27d48fc5eda94ba8156add3e81

SHA256
8905f68562e02ca9c686f8bb6edde6643c94b2592240c6ed0d40ca380e69e62d

SHA512
314f97d7889d22d1086682c2abfcf0bcb753c2103a29127407392fa05dabb69f1528c7b8028aeac48e5fd7daf0fb1e4a367e6d83f7ca73bcea8e7c6e1d1b54d5

Download Submit
C:\Users\Admin\AppData\Roaming\traffmonetizer\app\Traffmonetizer.exe

Filesize
680KB

MD5
90dcd050ed61796a43c6ebf3727f0837

SHA1
fdd234d03ee8d65592d36d638c37ad52e7816a13

SHA256
ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

SHA512
026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

Download Submit
C:\Users\Admin\AppData\Roaming\traffmonetizer\app\Traffmonetizer.exe

Filesize
680KB

MD5
90dcd050ed61796a43c6ebf3727f0837

SHA1
fdd234d03ee8d65592d36d638c37ad52e7816a13

SHA256
ba3d24bbab42a729f5b089a350c5ed2132fe67b52386709e03c3acb49d506810

SHA512
026de1cec908c9105a29834c9e52a24a5a24e7363d42c5ed3c3a384227f97e531381c9228bd5e9253724e09cf34afd95c7c3c3002deeec7ae4f53066af85b248

Download Submit
C:\Users\Admin\AppData\Roaming\traffmonetizer\settings.json

Filesize
97B

MD5
530393bfb491618278e3a6b2d2c386fe

SHA1
02f5d9a69415edf929474446b64074aae2b112d5

SHA256
0af9cb0f5729a2a5393fd17fb98b59408a7b37a1c4692712dd6bcf7cb94fdd0e

SHA512
6f5c764fd902903110703c679298befdff62b27763359549377b210d0dd927bcb36471031091ba9f2cea02d2c04c04c1b68f31bad46d7e6a13ae6b78ffe31040

Download Submit
memory/748-260-0x000002B1EBE50000-0x000002B1EBE6E000-memory.dmp

Filesize
120KB

Download
memory/748-259-0x000002B1EBE70000-0x000002B1EBEE6000-memory.dmp

Filesize
472KB

Download
memory/748-144-0x000002B1EBA50000-0x000002B1EBA62000-memory.dmp

Filesize
72KB

Download
memory/748-143-0x000002B1CEFA0000-0x000002B1CEFB0000-memory.dmp

Filesize
64KB

Download
memory/748-141-0x000002B1CEFA0000-0x000002B1CEFB0000-memory.dmp

Filesize
64KB

Download
memory/748-140-0x000002B1EBA70000-0x000002B1EBAAC000-memory.dmp

Filesize
240KB

Download
memory/748-139-0x000002B1EBA10000-0x000002B1EBA22000-memory.dmp

Filesize
72KB

Download
memory/748-138-0x000002B1CEFA0000-0x000002B1CEFB0000-memory.dmp

Filesize
64KB

Download
memory/748-137-0x000002B1CCDC0000-0x000002B1CD0A4000-memory.dmp

Filesize
2.9MB

Download
memory/4848-286-0x0000020111390000-0x000002011139A000-memory.dmp

Filesize
40KB

Download
memory/4848-292-0x000002012B5F0000-0x000002012B604000-memory.dmp

Filesize
80KB

Download
memory/4848-290-0x00000201113B0000-0x00000201113B8000-memory.dmp

Filesize
32KB

Download
memory/4848-294-0x000002012B610000-0x000002012B62E000-memory.dmp

Filesize
120KB

Download
memory/4848-297-0x000002012B5D0000-0x000002012B5DA000-memory.dmp

Filesize
40KB

Download
memory/4848-288-0x000002012B0A0000-0x000002012B0B6000-memory.dmp

Filesize
88KB

Download
memory/4848-284-0x000002012B0D0000-0x000002012B0F6000-memory.dmp

Filesize
152KB

Download
memory/4848-299-0x000002012B6C0000-0x000002012B6F2000-memory.dmp

Filesize
200KB

Download
memory/4848-281-0x000002012B120000-0x000002012B17A000-memory.dmp

Filesize
360KB

Download
memory/4848-300-0x000002012B5E0000-0x000002012B5EA000-memory.dmp

Filesize
40KB

Download
memory/4848-302-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-303-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-304-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-305-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-306-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-307-0x000002012B110000-0x000002012B120000-memory.dmp

Filesize
64KB

Download
memory/4848-278-0x0000020111350000-0x000002011136E000-memory.dmp

Filesize
120KB

Download
memory/4848-309-0x000002012C1D0000-0x000002012C24E000-memory.dmp

Filesize
504KB

Download
memory/4848-311-0x000002012C190000-0x000002012C1C2000-memory.dmp

Filesize
200KB

Download
memory/4848-276-0x000002010F660000-0x000002010F70C000-memory.dmp

Filesize
688KB

Download