hxxps://ankltrafficexit[.]xyz/trafficexit

General

Target

https://ankltrafficexit.xyz/trafficexit
Sample

210910-a7538ahad4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\fr-FR = "fr-FR.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000be76e57f4b6140620da1392bcbe514110378e88e151c37fea11b119c7923a355000000000e8000000002000020000000da091d423d898604abb518b6b7dcfd5f4acedae7aed53dd830070d0278b5181b20000000ac210cee8a12a2baa9ce9dd3ef8cf233590ff317f09da9415f30de10771ce23440000000a44208a377d600725d4e91a6c8b1589977e28064b66fd637e08c7a772e08be2d36d3b186c612d6a148fd9d89fb95f6664cd9980dc4b6f1ce2730009446aa6c92	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000e9dab12c3b7bd13b96ebe2584bedcf25055175dc7d1627a5d3b62ca6c975932c000000000e80000000020000200000007f3666f4799b6a5c8581b6c34f05536973a73b0c0df40394735ad887ff2fbfaa900000009d1231b5888cbe6b1f57c4f20b08f091a81327e4c664d600e23786281f11322c682f9605a874f6371e5da4c5327740761bfe7d5d4fd08c8a257afae51f87d05bb8a219e9a1028d13efe0e04af0b90b042f6e1eb8f85169f392dc52a324d8551bf2ba3d9de23d4646e60b7cf62a755721e48888f3c55c90e8a787997195c6ae702434c81d4f17d02a99249ceaecf135c740000000fc0eba986965bd4e4b98edc4978262f6c38f3f043dd0e7cf91148e6ab803dbc5f750b8bdeb5ce34342579c1a22dcf77222cdb9db64d63026161f12ceeaf05252	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E29B7C41-11D1-11EC-B397-7E71B1F3B5BA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804d4ac6dea5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338000344"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1796 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1796	iexplore.exe
1796	iexplore.exe
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 1708	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1708	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1708	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1708	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1644	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1644	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1644	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1644	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1144	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1144	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1144	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 1144	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 536	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 536	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 536	1796	iexplore.exe	IEXPLORE.EXE
PID 1796 wrote to memory of 536	1796	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275475 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:472090 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1254cc28894c6d1881d8f0a56971b4f2

SHA1
1fb938bf1562d6e9e543a9e955486418f5c47081

SHA256
52b7decdd94c0d6c52e8cd36437725b092b9dc7f8aef6126541b5c1b4b57727b

SHA512
64945cc198d6a242b42ab21015763a08b50ab7d682f31e613eac1b1fd3740899786bea1e13107f5e33e382987e95b30c2e68d75eeb65794e5a88165c5ccf94b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LX9K6CVY\D1H5JIVI.htm
MD5
2f90e5f9c9a2c6a00cdb43af7a75693c

SHA1
a47f8aef4ac6913aa1f82a7225c9c181f1a1ba79

SHA256
1b33286048ae7931fea09ed7de9386ef1c3a6d17525f0c6929e60190fc852946

SHA512
b2609a2534bd5ad40d9c9dce5c6b2f6b6bdfa3c27ec0e0dbb291c5b79d574c0743d5cab7de44994eb18d6e37e7c0d4e52ee2bae0198996155a718e853ef34e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LX9K6CVY\RU5YJ2RT.htm
MD5
98d799128abedc7d4383d76a7622ae49

SHA1
04b102c6ae7fdb3e4cc6a503faa0d70bc992460d

SHA256
7b20fcf20bb7a74dc3a4d2613d4fe5c6968079ca9a627052761f9e8504998774

SHA512
da6775e35d9ceda62d591647bf2d8c2948947ed28c5af773f983ef336e0d6422617eb51d0abdbac5d22a813263c5c0323f4bc918041067a1ee9a3e8a5586e8c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E0MWT09J.txt
MD5
3639787837471d3b88c202f628fd4d56

SHA1
8ea7b1e6a2ffa2b185130b497331a9ea4418fb06

SHA256
0b223a5d1d2b80cb402b412ed1f6c274d55759b45f1545e849d107c2c32b03ab

SHA512
e359d26e1bb8cefb8ac93adece713f1772001e735debc3bb33f57619a2cbea591a5b337dd7cc4449b6f852b2bc6e51a683f8ff8002ab8eeb829be6ac26728ba9

Download Submit
memory/536-63-0x0000000000000000-mapping.dmp

Download
memory/1144-60-0x0000000000000000-mapping.dmp

Download
memory/1644-56-0x0000000000000000-mapping.dmp

Download
memory/1708-53-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/1708-55-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads