hxxps://data[.]traffmonetizer[.]com/downloads/Installer[.]exe

Analysis

max time kernel
585s
max time network
484s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27/09/2024, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://data.traffmonetizer.com/downloads/Installer.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 324953.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
4796	msedge.exe
4796	msedge.exe
652	msedge.exe
652	msedge.exe
4024	identity_helper.exe
4024	identity_helper.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3376	4796	msedge.exe	78
PID 4796 wrote to memory of 3376	4796	msedge.exe	78
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2808	4796	msedge.exe	79
PID 4796 wrote to memory of 2840	4796	msedge.exe	80
PID 4796 wrote to memory of 2840	4796	msedge.exe	80
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81
PID 4796 wrote to memory of 4012	4796	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://data.traffmonetizer.com/downloads/Installer.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49bd3cb8,0x7ffa49bd3cc8,0x7ffa49bd3cd8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8352162042550584231,9124194823044741220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
191B

MD5
2e505dfb27a6e110b4f9cf2269c2ef77

SHA1
0cddb29e646f426fb44906c09cd826e629beaba0

SHA256
2e21cf766eaff64c03cdf0c5aa0208737bee03f3a607aa5b03aed601deb4e8bc

SHA512
53e317780d370141bc5ba84f2b39c06afece2be1ba83aaebe0bf82f0e970ce9cf1c5cc65d83acdfad7a87eb1702f5495ec578f159435c952bac5de0077a34d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89f66ea9c9e61acc04f7f37b1f7847ff

SHA1
423072d5109a550aebdc17d104addea8a671e6de

SHA256
de4ecb877212cfbbf10867dfed5c8174364691a0907ca960ae7c3c8b306aec6a

SHA512
98deb8e72c691e37b90eeafa0600733f6199e71e9252e355a7619afab76f9ad8cde6b9f1c4a10b53ef1d0798b9f4e6755b1710bdde4a686092f40fb448dc661b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6702b0ceb35dacc677490023165bae60

SHA1
d60f28a7f8f4ce51cc3794ed50a76d45dbc3e7e7

SHA256
df833b23f013d502b068ddbb34a4f1086cc36640bdc6b161cfd164c01441d083

SHA512
b7a10eeea9de81536965e76138b4e373727caa6528026bbe4fe8e79729473a62788d1afdb00988a3f39f1995c963df14dc01f27b3aca88147a9fd389e0f9249d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6288cfc4c2c9b054a35581c5896cd6d5

SHA1
cd09652adae2b12d9e1f60feb93173403f84f924

SHA256
d32f486365c02378483ea8551afa662b368ac90921488610a4de5f770c0235d1

SHA512
7ea8d7af19eeac6eecabfb1958a2a840570183cfe834e2cefb801870c716daf305656759bc2c4427bc6121d89b8052240b2fdaa75cdf052bb5332c3a9d1981b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 324953.crdownload

Filesize
2.9MB

MD5
5d35163029a29a28387bd696293ac3b7

SHA1
3775491d5ee3ef728bf3ad703239f8cf99969f95

SHA256
583d04b8bbc236de13ea34e48c8f7ccd0d24e8e4c96e801f3c913277a26ff9e0

SHA512
b689ddb10b5baa538941c0fb00de55f961a89fe979f75817fb18f07173ec1fc54936587f1b322261d11878477cf5b920de6dc026eaac0534f21f3b6e5f7c31c6

Download Submit