hxxps://ankltrafficexit[.]xyz/trafficexit

Analysis

max time kernel
512s
max time network
502s
platform
windows7_x64
resource
win7-jp
submitted
10-09-2021 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ankltrafficexit.xyz/trafficexit
Sample

210910-a7538ahad4

Score

6^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

756 1596 WerFault.exe IEXPLORE.EXE

pid	pid_target	process	target process
756	1596	WerFault.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000d61104742a6f147f4a6baea44b15318347ed94c1cb7d3710337ca8f3da57fff8000000000e8000000002000020000000ecf05102df94db2fa0dd14c19fb503fcde3da4021d9e2c89f1b37dc1326e7366e0040000819a5654891fcc5f7f0a0c0366662dc50b7c58d76fe173fd5b5d3635f4e7f90503053871e32696cb3d2394e127095e343cdd6ce5b31f0be9ed3f55e32c4e6d6559472014dddef40abaa735e525c36c1802852b7c456a062e2591debcccd4a82255ee31449ed30e573e7e846d211e1cfc776d10737927b113f9feaea5e6e455e685047b64e16a4595b0ca0bb444f91380f0e3618680bf4b08d32ee2d7b20095023e5b67aefd2747e879a9e9b2228adb6721fe4877743ff4ed461397ca5bb0893181240461b135456e418a679375b6e365fa22a999b850b76bda662dfd027eb75fa76a16f8ebf8caba074f4e43c897067c579f58e094f39e3fbe720931b19a34195ab4fa00890fe33d382d9d18e2de6f6691c24334332505d2cf359946d43ae3de4ae5dfa100c375656f16bd105b0e26bf90760096705f670b0659263e3d9d2e7bb33aeb73a0c3fa21e0a00a736b2367cf7f20ddebf8270ae03795ddf8ee482bbe3732eecae68a726f98784c4e25e1d06c44817427a4299eb7fb6e58cdf824e13fd6f4dee8cbadf5bf566545227b20c5bf70e3189f8a442de08069447c0e21df929f5e1c15eca9d97b5b100767910951c4856f5752ad9e676c54d2f7c9e35bf593fe8e34fcbf925368ab1ffd59d54f2f11b66ce4de8d17df55d864a5bfe64e3593eae913dd614a2d961798c74de52d2ee31d83197f4250c29360d9619a44a0f8ecad18b542ef17019c13756ae574f77ccfd975e99b8b14fc6ce9ae9d719d4b504fa99905e63488ce3d86999bf7c6d30a10100c2f07345f840799c75ec9df584fbb609afdd591016422098ed70ff390fa524a87cb4c7889340c76063e0f0ac56242a6d09dee4cb7da2b7fa865215c9efb455bda6e89f86d760b27ff1402498a28f310986388cf58a7207958554dc07034a64318b6fddceba346dc6cc7d0a73d46df1abb727c5d65614ae6de1f326619090624c922a0214fe22c7f098be428e13d41177e7608f9bbe62097e1ddd5e34393de423e98bfc99ca373f8b33ecac5a2aba22af5fee5e1c9cbb7a4f70ae51f51a4c0cbfae9afb1c5066b6694c0a12a261b7b495e40feb974daf86a7e82a8fc8af0407a8c4eba00d0da8348a91879cdf549d7707ef502ed5650950563416542fca89a00464bb45c5624ed395a0f1d6a57c4edd371c06d18600f1e6fcd94396b390b25a0e48d9c73ba5f34c1b2a441a9dd1ca6ec4f2b51acdfc9a1ffd0239f06224938760efb1ed12049ff56e6aea456b1caae7aa36c0d8e20b2a4735789191fa9fbaee802ca4c057b76029061d5af9037ef43c252ddd634d9778becb4e08ce1f7b2c0b3c5275b55eb52f6262189170b056e46ad1d6c7a9b130b15ae4b66f3f29100cdd605e36161a19926a4900afa580d75579500841def491b0bf2834ca69319578a181ef06e66b4e1d5ad9fc65884cb92224fb0f1a8d20a5eee4d13b95f4abb2863b5229f8704e2ae8640b2117a79a5c2827f4cc780228fd6d6e4e69c0350c40889b1eb7f0ef91d36a7d5f7da879030f5bafaa173bbf24e256cf45c6bcdb091de606a3ecd237903dae4c81d19e74fdb5bb30ba8d3995e638b93a879342da4b3fc86ed33a910e339440891b7fc8c90dee544dcc8a90bc1e2a36ae9a4b4d3dee68ca1b43d2d527f91a632ddd8f8ce32a0836e36c38e67fe87a6ce0d7ffcdbd045c051df704e717e6b5b8bc791a8b9d64540b19c5a602f6e919818c88bb10a0b3b6996dad7294ee898a73d0621dc11278ceb3d40000000723f6a87f72a75b1393e9594779c5f831709e19f5eac2134b688978b614e7770fe9caa2e75a9e9443715c0e3c14d604fcb41544668d59fecd86dc3eb73f464ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1616601-11D1-11EC-BBAD-FE4AFC315D7E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000008dee9e7bbde9b35781de78a25ee6f7e5ed995ff21dae4565b81c3ac6ac9a2992000000000e8000000002000020000000c61d46c77937c1485eac06a18be6ceb87b63b48dcb559440f37bd8b899e3985e9000000075cb71fd55fb4aeee3a43d94087c9bb2d048a1bdff4d0eb77c7ceff3f5f90279a6cad0a7dd06ce31772de4d5834078e570a7791a5a4020a25dbd0e8606e22dec58aed9a3b2cd204cac685b45b6f9d736430ed647f7def71fe8a55261e3338fa45b0b70b300dcc78eb7f4d017e8103c182ba325f81961d00662b9e25bcf6736e279e797c4550e77a98e2282b48fceb21640000000f29011653d46524b9b09babfed1ceb3f2edcd112cc76da111cdb865c2e930de34e312d6b4d2a35bdd5f8204ab17d6b8eb015d464a5119447ef9e450f4290b092	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5018edb0dea5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000a66ee75673a2b63f66384cb7c9961071bfd753d7c85a69fdcae717e0c1b9270f000000000e8000000002000020000000dafcff00697cf6276cbd8e53a6aa3734b64609b86ac3e46dff2f4a2076940dd8e00400005f9fb0f4e3baae6bd121337fb6e47c51f0da95ed9436f29ecdd2e870bcf37bd8709854ec2824a177482390b98905642c32517807b0693030178e03c609567521cc4d1145c194e900d2c4a3658f69c52c3ae6e69c31fb0d29bfe0dbc731547b8b28de6f25a85285d25ef98937b8943c5cf604e23fd631b43c09ef68ac21a500576885a14c5629c7459210765431ac1ab599c7eb3d54e214335d8ab276efdb6b3b43bbb5f3b9c5f5f415b88468eb043a28f41c5f9a1a5ec2388c92242aa7199bee0f1835bbe7d938d5c9ae628dbb068392a666a9918ced70dcb1a01df73958c939c0b20f25423a13fa2c97902c40d0f0213b2157b22f3c8bb716c60df3f3d7cf6ce8577a89aa3a41ecc7a7b149a343ddf7c4a1ea8534aa360c16ff15b5f1f7238966e638fd4ffb26e80dc7e9381c104032bee9a82b53f3ace1bbdc677f87256134099252ef1bdb5c4f698d16be06727acad3f119401c5e234d56c27d54bb4d4fefd0962be0e19fabf838440cf590d5428dc9c50ecb6715caa656660aaff32ab68ae7279e9598803f3e845052583c87f6d4af20842b4ac5b4a1221e71e743313b97ae9cedcaa7c7ac0b6824e210d6bd20f3658c223b2e724c2a6325613d69be8773016c5d658d8ae3ff98ae2a266b7f42846680b081a18485ce8c730a2bb33a5cdcc4eb077fddb5651d8fd16f13352967259af52b333dc16ad5a5c5d7bbc60536a9bf792c428543dab738ead309fd53786912e24c6583e61d0477f4b376bc8206689f2d8b2202a38717ea1f1fe0ad55dcfffc7a9a2f31513879b0d7b886b79255648ade831d0721460f138df26adf744433657e98ff711403add9a5f90542b41802b434c7712d8c988897013d2fe7a30ae6f2a4d9e3008570c3564ef62f57c8bb326f9faea504f1911603a31db2a2853f26d43c34a79483af69cdc4caf841b250579905cc710027afb512d118b127f546f23433591be94f7c0c94d3f85f34187dd78974bda19f7fb57f489593c0011cb2b50653c032353ac30030489f08557605a61928020c8a37372cf9c648bbd27b6f59c60a0e14f6cd3dfa0419a1b03f4b96f1be3783a42baf17c6465a909f1376533743b42ff4eaa317faf40ac11febaed030c397552e853c9f0c96f45d9012acd8093219e6c1577c8b19a03d614b27f0815546c4cb6c151f20f5d742317b18afdf84f81b323b3003f353be17991a9d4e262fa415c93cce5e204051337a7e9f9dfdd59f7ad10a98ee7c67946b4072ce6043907ebda15745499f1683478bd439c555bc18277a4e70e272b2ae28c6d9616f9e7f24fbc2bf2d656d3392ca4a57d74b63bf881f3bab305f1dbab307ae5a67b269a4d40a57dce165b73bdc82db4df122dfbbfa6e8bd6f5a85c6d921578708b5256bb4bd3d2681042b179a770c85ec64fe6be0e52208d5058073bd7f0b0c736efab29436b127c257cbb062dd1f98685100cc061378dd74202fb9c99ce3eb78a88f5860d4f8d48d6b6c520c23c72caaa7efbaebb3b9dca1286f1f76fcdeb87136414164b563a3ce854d47162db4c617a580a243ae82df7c4dff1312d922287c54de4a09635556db41ddca31057c7c0ed897d7c4416c843f73f64df2c3453e05b61977e9a3a0f6f531c135b39b7d5c06f9b3a143325b5d7b09c384a3337496b47150f13a311ff1cc0ae5a79a731172f6af812af8a7541106a90d507343e8c486032565603020d1b2973d768b6b3ca47dae935fa53551ec569b9a8cd95b3dd7c78a41fab400000004d33e4858b5a65f64d3ff807e44c29727104ede6b789b4a8e2b3d6c6ee3d9749252a706522e7531c987e4d736c56426398bb7409572b2849a15c8455f94af9fc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000eb665e3e6838be2e9d9ec3d4dd735b5d930bcc41f69ba213b9a9fc99072e2cc7000000000e800000000200002000000080256dd3104a479aa11618891bcc7fc82ed227fc7d3c36a2ff13414aa27e6c3ce004000089b04ba3734785cdd7540624e3ba73d36be03dda25f56b872e4b59288e9859444d95826212780bbdd5295f962bbb59affa817fc9bca851207a3d732567d3d5fbbf4ff8b6015afce30384b912e68b5ed6ebf7a5c042242d7c99bb6fbf771cef8192aa636e04c04a60a7fca4e063b9e03d139f8cd404852322c307f4f0ae1c342594dfca693ca35f1d69e124b249b2c383aaf428557398e518c72d53e7032073032738ed97e2121a43d0b8ec6d08c2d9a72340376e946d849c380abbfaec02c12740602ba5e548660f6476801e0c938ee9163430684e79604df1b785ce0be2677bbf37a756bd8bf23a2a23947c0bfd2819d0f920a32598489b1d4e13295b4b7fc8415fccbffef2add9f8ccdcfd69c5d386e1bd1a5107961d170b165190d7864aea116208f6f68d5efb22012f98f77d97b6e41045f755fb09cfb39c50ff28c4d08f652d2070cc91bb8965c0b6004ff238bc2d2a8a4c76cacc01039aa8c318e2665b75844b2381f3ee5691da008e1471beec01285ab76122a35c0813b744852ee27178904c6937c8bd0362f888c0b9633637fab9f02638325800a544bb9075629ef3b6ab3e70ebb9d87860311376b11e9a1ecb61e7f1ac43bd49968d6725cd6c3c045cab7125923c310295e4fa6c315b7d5255281e657355d899585d7318c1a50aebb33f656e18c587f706599c357689136992b2216ec664265632473485c7ec864540ff9a37f9fdcf37bad52a12c2f4ce852e7542f218a40ac8d482d5d85bc42180cb25fe605059511282430e61e1bf89c591b64ae0d34d2f74bf6624bce2bfbe9ca1a0a98e69c5684e4590997e5251c71a3d8ec42c7045e5cfc3aec39a803cb3082d3e4d8598f813e1e366b41a33f021a02f0e6e3475cc31288ade5af0a2ed295fbb887f6678defcd72e0fdd3c8ac2a9a2b6daeae7d8dd042c7f2203ac6e4c35b2a37fba210e79c126ea0c6c9ee816daa837ce48b2fc86627a37b4e735bb9a2d3231310670e0a163aea238b08f97de249fbd7aab66e7a0e16ddf663349133e226b776c0c75de0ee780c415fd32a94051cb0f0dc134f0708e2095ea18e6665ac6e4abf24de7d36d359f491e6e0103c0a926436123f7e837b54f32c4334534935f5c55bd4ea28f72864bbebfb5f59fda34a33d2c1cd90e335463721ed5842ed74ec669ea7f947de87249d0586ce91215e687c191315cacb8c76263feeb257ffec5853f0e126fc909ce7cb369a5423f375703eabab385df737286529ec4428a44bb30b69969aab5d24f918e2a98039d0d0e387dae89f8adc2af91f8a669847360bd01cb0591d0a382ee477836b6573de71571514a886024183f96f764f001efd263f2d50071392945a9bf6414b9db4719691c46fa6ca68df906b1cb6bfac581f35daf36b35e357429560f84106b8dd494c0669b2c5793009dfb7ac2a051d4091b742d155da109a590f079298ff6f5fe59b9b70cc777263d5b87eca45fb9a3028ad5466672b86d150e5d836a03634e47b884542d0d56b67a02e0235762993f1957debb5c7e12d4dbc0d9463d0a1370d2ed69d3fadf0fc48cdf5297d744b57413a800637d9f79446134a32372d4d4e723b7c298348acbf4955ac4e490da79bddaaba57e671e6daad862bbf937bb31b8d84751748e1e97d5446292241ac99f7f713545a0bdbabaca032953b60bc1749c92922d4cfef0d98d60f64b38e73fbe135bfae2e88faae54102ca671fb8f84800ad9060ea193ba5fc0e6a970dea19e67cc495f916400000007bbb34dee99efcb25ad22b0e645028eaec42508c3f5883f3849f6eb39210150dcf01a6c7fd3ee9995a3cf3a410f4c8ed7f9394449b0a9e3360f3511272ff1df6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000d5022a1e89b4da220fcab564407fc74d679159ddd6dba897da2855a3bc51bf21000000000e8000000002000020000000c4c7936488861ddf925bd44d11336d9be579f1db62c9b5066ff978535614606520000000950190cb8d3ac4a6a9f2b341532de808ae6ace56ef25fcf6e13dcd9db7f665fa400000000da2cc652fd70033f72aae8020066f08a6033380830a596037e57734d04bea9f0b83929268195d8a49fbda758860ad1b302441b1196fc8959648baeebff62eaf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338000344"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

756 WerFault.exe
756 WerFault.exe
756 WerFault.exe
756 WerFault.exe
756 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 756 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1996 iexplore.exe

pid	process
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe
756	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	756	WerFault.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1996	iexplore.exe
1996	iexplore.exe
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1836	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1084	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1084	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1084	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1084	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 932	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 932	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 932	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 932	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1596	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1596	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1596	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1596	1996	iexplore.exe	IEXPLORE.EXE
PID 1596 wrote to memory of 756	1596	IEXPLORE.EXE	WerFault.exe
PID 1596 wrote to memory of 756	1596	IEXPLORE.EXE	WerFault.exe
PID 1596 wrote to memory of 756	1596	IEXPLORE.EXE	WerFault.exe
PID 1596 wrote to memory of 756	1596	IEXPLORE.EXE	WerFault.exe
PID 1996 wrote to memory of 816	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 816	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 816	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 816	1996	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:406545 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275502 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1588
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:472112 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
d28b560d6a44fe579394b74f21b6c5e6

SHA1
27a1172e5e510cc8cf7f860d9969d8a05bf431f0

SHA256
33d19a86f1a44b14b50a49b4b7b7679a42727a2327a7f18a7f7c8962ade8138a

SHA512
4e85e399291b618f1965661d482b9a960621ff780bc81fdde89fbe209bb5b33185db3cc5f9f2a2b38ff7b3ce5a5fdd2f580cfe845e9bc0e77cc144c25e51dab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6V0SSI7A\08YGC3FU.htm
MD5
c01cf3c05b856ef9f4c2e974affe611d

SHA1
fae63860d833c4d55f21d69a00517eee5799ed73

SHA256
79b4a423e05815dd4ab12c6bf84f8f8d313168e1c96aea2ca580052828b4300e

SHA512
e9de07c5f16566f06e6b3e6814737400f29dc24b3d4e62ee76e4f96450df9fa07ac1598bc61f971a7f0e1ea180d723486fed9db6693dfe142ae95df8afca6e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6V0SSI7A\6XPOT9WC.htm
MD5
d89d81f2c214de86e812bb6b7a093c19

SHA1
442d828829e93ce7b6f1f7bf08416a9a9bafe3fc

SHA256
7e6b51fa0cc2ff5eb9d0e897ff544946c2e12d6e9d1b3dc6a6c68fd982e6fc27

SHA512
a59415ccc7e7f1d9e65678604b91bbd6468cb4f0db34d262767e8428b9d7c488df51b3ca9bcc70c8410bf2f1c65cfc866c1ed617ba7064483c7bb5e87fab94c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LX9K6CVY\FLVCSMWY.htm
MD5
67d8c64d9e089a179f4055fabc8cebc8

SHA1
5bf76d9433d1beb09478603c6bdaecc042265d51

SHA256
dd7c76485a49891cd80155022f0efb074b74eeb2288a1d0c575713ac183fb05d

SHA512
552cb95fed57be7c18f3947782e4fafce8f431db05393f22a38621626fe7c62f546d34e1729adfbecdefd9bbbbf3b576a7142661da73f0fc7fa0715f3191b9ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7IKPRCHW.txt
MD5
9a6f276815c1d628154f60c2a43bffe8

SHA1
34c052c871f46c7daf4655ac13a35231f3519b1f

SHA256
450a91e6d4d0be96ddf8fef00e8d5a498e34803990f544e23dd689b86e8c2479

SHA512
303b568fdfcd19bcddad564929f9a47336b9b55fa7aac853cdc0b3fc2c86c6cf8195e54db3a9f3aa848bf99780fc6726a033460517659090502c9e8ae713dd43

Download Submit
memory/756-62-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/756-61-0x0000000000000000-mapping.dmp

Download
memory/816-64-0x0000000000000000-mapping.dmp

Download
memory/932-57-0x0000000000000000-mapping.dmp

Download
memory/1084-55-0x0000000000000000-mapping.dmp

Download
memory/1596-59-0x0000000000000000-mapping.dmp

Download
memory/1836-53-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download