hxxps://hilltop2exit[.]xyz/kjlfkvd82d

General

Target

https://hilltop2exit.xyz/kjlfkvd82d
Sample

211020-b6eqbagea9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000959e2c05ed73edd37f563cbd523fd8b2a4a8ca47e3fdeb2af93f05575ad014b9000000000e8000000002000020000000d4ca9d2cf0f5b7265f3bf8a4deadd4c01c6e680e19067b5bba88c64b7a05d6f7200000004b713f9cb9cefe9bb0208982a740eb0abe11ac5806b7413215d28a3467e0b22040000000b75f1f6f4e2110524ac41a860281dd0f9815d8bfde634781c266581fb855470a382bf42e1a4a3d71c2dbe4dc3a1f1791098b227d39d559f9d49f0bc3797006b4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000070d10780f8594da2a098779eb25a498970e94093a6f0ceacfa38b832d2509578000000000e8000000002000020000000727a387a2492e3d5a8d74e9a355f90dab3a9a3607a8d2f63db607991d38e207590000000944598f8514e362a650190a5cae61e10f35dc42502d579d68dc8c17fa9883fab110bf1e350253630f8999234d9a9c6acc9f80cc47e87d26fc53a6a66871694731d93c38931c8c367095ef00f4d132ebd3cd0272d4fb05fb81a77f5b209df280a4b806f8c1ef431494155d33979bcb1975f73a236dc19db3068b296b9c98ee38f57ce8c82213eee37a5d14b84f55a7bbf400000000f0cb8b8bd6b0e8a838ea825b257d56eda7eaafe94fe20efc2dcca56ac15f6c2d8ae0224485e2a0f61aa594beea697ee801cd4f9514cb4b909f38ce9e17dabb8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{272E8D01-3158-11EC-B914-4E998413B4D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70e6ccfb64c5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341466503"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1680 iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1680	iexplore.exe
1680	iexplore.exe
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1680 wrote to memory of 760	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 760	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 760	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 760	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1612	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1612	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1612	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1612	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1708	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1708	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1708	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1708	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1540	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1540	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1540	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 1540	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 836	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 836	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 836	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 836	1680	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://hilltop2exit.xyz/kjlfkvd82d
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:760

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:537609 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:472095 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:406581 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cf4f77524681ce77694672a8aca9617c

SHA1
777476f702284f7ebfa6d087cceb4d3e6575b091

SHA256
95c7e8ee38abdf9a78a287e5c670d1ed3ec9fed8970554c75290e3bb9e465882

SHA512
8fd37d1e0e104e232d207a72fda022cd47157e165c6dcddb8acc3221109274b00709c592aeb2fc1a7f5df0caf0091e228616cbb723144a08630083e636a3e0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC94CCU5\787FE8N4.htm
MD5
d36e5590cc0627f1497ea0c31b4b4713

SHA1
92d24bc66d9ba431e06f542504c331ea4c13d437

SHA256
7c1d8e1b9705210631fff25f10154cb78eff18203614cbdd62dfa8019b0f761c

SHA512
6d9619d94fe5109c43a8ece9f9cd118925c075e99ad010c6f61cd4cfe216146861e4130d15312dd04cad86cf46c342627545671bb67dc26b7c81e28fcd170529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\XMTQWSA1.htm
MD5
d6128e7179fd8e986a40d3708c47d260

SHA1
2d7505f5e5bbf437bfba81df3a89c780be5f41fb

SHA256
9e0291a1e9fd41798d8bd5973685be9128e8278636dcf5155c7f099256da4dfc

SHA512
e7f7b0dbf6a84c2a83e1c0a440f9642a992989f4a2096ae88d57b8d802cb5dd05ea090a912e1e1e25d2dd34f93dd6ab3a1e01c0441f07d8a947529655455a348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\STMHOKI3.htm
MD5
c3802c8a91033d620d06573d937ef335

SHA1
4e61b7736e8e65ddfbea346e298895b95e82628d

SHA256
a25f7351ea59adebdfd3866e97282f92d5bfccdf0bd2a5b54d0d04559c761ee7

SHA512
e63e1415ed12f3c4c2e59d9c7e63ce7e1142ecf6a4a8bd4bbb257f7be69beeef69e0f09129f93f42d4e70418206847e90eb17f0395f834e0e9084630d621e132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BM02Q2B.txt
MD5
77c57c04238753a2a2e740ad5fdc07e1

SHA1
8d1354b5884af08879a2d62898f7a2aa27534b0b

SHA256
6a8213de3164414e8f0d75685036426222875b8e25fbc206e3be22c9bd7e4911

SHA512
2f3fe2e46ce08b7d49853f5e1d5f23adf16b531386d5fd4fa8df02217fca2a138382d056f4e1b4224375c0b7f0bc78835ad0f05cb2272b317851c2e4123c0c45

Download Submit
memory/760-55-0x0000000000000000-mapping.dmp

Download
memory/836-61-0x0000000000000000-mapping.dmp

Download
memory/1540-60-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads