hxxps://bostontraile[.]sn[.]am/mHgTueYZoeq

Analysis

max time kernel
67s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
18-01-2021 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bostontraile.sn.am/mHgTueYZoeq
Sample

210118-wdhtc21dhj

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "815904915"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317717564"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B6D0F77-5959-11EB-BEBD-C288FA2082BC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d6563166edd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "806060108"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "806216034"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30862694"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "317734157"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000061cbd1e6f76f0a92cd3140ce65158c5c74b97ffc682c765fcbea211424216a82000000000e800000000200002000000056065ad5ba0aa1d8877d11d0e42516bb26fac9512c40ee81b5f2dc1d7fabd3b120000000b76dcd4d166e277744a3a44f3f86dd9f07afa4f7627466a28ecafe0a109e01bd400000006665971318823900ba497329763cbb15ec3c27c0bf23cbeb000a39d27f6567865c52075925b2c3420b5e01bc1c838ae4152d502d7957d774f37b17a8d704caa2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000000dab63ef4df6225703d4b50f890bc77bbd1f242d77902388edefac22cc6040df000000000e8000000002000020000000eb91900cf210305942b558dcab3b2191a80512db7af14c73955c822531f1450420000000b27e8051415552e53f44d8facdf21927ac2defdd87d0a52936bee387796b961340000000d86275853e038355d5e104962e6a8897c740227f4fbcf2d69f050b156382e757737592b405679cd8cc908a93155ccf51b4128ac9fd9b8a2d4eba9ab81cc4ab84	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30862694"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30862694"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ef4a3166edd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "317766149"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

492 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

492 iexplore.exe
492 iexplore.exe
3548 IEXPLORE.EXE
3548 IEXPLORE.EXE
3548 IEXPLORE.EXE
3548 IEXPLORE.EXE

pid	process
492	iexplore.exe

pid	process
492	iexplore.exe
492	iexplore.exe
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 492 wrote to memory of 3548	492	iexplore.exe	IEXPLORE.EXE
PID 492 wrote to memory of 3548	492	iexplore.exe	IEXPLORE.EXE
PID 492 wrote to memory of 3548	492	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bostontraile.sn.am/mHgTueYZoeq
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:492 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dd8c4461261fa8f470cbe436d82eb3e6

SHA1
8f221c4a2e8dacbdb325ac3f819e676cdc98b351

SHA256
12d490067715ee5a56f761aeb2f31c0d985f855b8e301a3b407b586809e95912

SHA512
f5ce46cef4e9c48148353e2995e33082fbab05bac1f171f55d3dcee936c7a4f09c1b24a4c92d58d7e608b8792c9fa1d2c280164bafb52a8b6988519f757d49f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06e7d3b414d0d455d35a4d36e6115688

SHA1
e7ce56d337bd2ecfbe486ea2375015c44ebf6b59

SHA256
a57f599fcb7bcbc3faa660e05d4b252f70b1e5566829084ec8c52a4ed115bc34

SHA512
26ccdf4ced748c8687623a039776aeba2acb63c4fd6cb0f03a2d1dececdec1233bc0445bdbc1e4d6e49dce76ec547d61e06610abcb81266029456f3b07e67835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f033f9e1c616b4383fd3e38232dd56c5

SHA1
2bd328510a0522715f71018819358d5308794eaa

SHA256
a84c5b14b5f2839fac45ad8e9d4953c23d551d4e11d2ecdf05d87caddb7dd6dc

SHA512
92177379dee9589670dfae2e7dbbd4903565be1f3ed8990e56154304f3c26657e42ef5856aeb1551d75c634f6c7b8b8dc7913afce129e56d2a016b1dcf17a41f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4947B719DE3A32133AAFCFF5C64398F
MD5
0c48ad48e8118264e76492959e241c71

SHA1
7f7f573368b8d25297a5eb269254cf7aa89b1755

SHA256
4b2764c7be96b113f986ed8247ff8d555d4cefae1b4719d7b4516006e20f9f65

SHA512
169569fcbf5345f3e8cf63e30d55144174dcb1f1896bc15723a82bdf7c9a7ebb3f730341b3612bb31cd62d7ab82a749ac2be213c261c87aff887064a38fcb571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
11d581dc2d4023f8c9ac9333099e7fc5

SHA1
6fb3e6dabafc3008d0849a3c70df3e04cb614a64

SHA256
90352a3ba0becdde2d31e6b9e2f16ae214d46a78f1fdb57228557a4865efc1cb

SHA512
3e42be3e6f64654dea35c4dffe474db4cf414447a176b02290f9377e6368ba9ac3fea2b96369d219157e5231d537f42ac793f8555b53bb0552d22e2ba1048d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
890933f8cce70bd6a8d4a36d1e5f2d64

SHA1
86c508f34bdbd60ed6f3b9a5c5301c6133966089

SHA256
fb022ae359172e76f4ae432aa8320f0d0b8d2e60b4639f89f2cef5e47c183288

SHA512
029b0b78fb62b93110fc4e3b44b3659aa6851c038200e2045e33226acbde25bd1910c7a50d7cd88d9abcce72c1f12eb4844e0d0bb17d38a876837928d5072b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
10002428b21d54eb93c153431e895857

SHA1
98c04f431317cbe2f3708e0cd38e94b16cb80fcd

SHA256
6b4f655dba6eb0d9d42c2038a7bd51446120724f270119b46b0229b46aa4486f

SHA512
d2a16429a230ba19812c9054a2e4f338c4d5c0f5b8f8a43cf0419c9f6e257dffa18100357d7f70309d77bb2566435a2bedd4154d6a9a3b5b6aa43f05557232fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4947B719DE3A32133AAFCFF5C64398F
MD5
e62ecbab695f47dfe305fabd32de20dd

SHA1
5b1d90eb34bc738858b9fc961de9029342e215b7

SHA256
cb9c68a9f18cffd337a41beaeadd9eeb7df4aaf7a70d546693511353a6ec9be5

SHA512
73e0f5739fefa6a38ba8613ff834cfd3b7d7e86cd7029fc6c751355520ce15c7a68674e908aeb4ce20558f48d0fa87eacf4e4da1d5bb7b8d3c0330681fc0b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PLFVTI8I.cookie
MD5
bcf57a34fb8c614a239deb79b91a0d88

SHA1
722b88e8543caa7292b33978c82553db17fbff8d

SHA256
5391904d65f39f4a53ccc8a2ea44bd480b148c5382c9f2956c715f16bf13ed6f

SHA512
de8f326c6f443c0afc9925e7b20346d0e4f3687d613f076f4d92ca31b104951c17dc2c5b8b62aafb39f956001a9b7ab5cf1e54d46477f2928befeaa550d10a2c

Download Submit
memory/3548-2-0x0000000000000000-mapping.dmp

Download