hxxps://billeebadass[.]com/sammy/?i=i&0=user@domain[.]com[.]ph

General

Target

https://billeebadass.com/sammy/?i=i&0=user@domain.com.ph
Sample

211011-qp4enshcf7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340700794"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000092be6f592bf215101153e5736dd015c9f024c3a2942637ddf88c30d9b3a1704e000000000e800000000200002000000053a5103f0482f162bceac1df756cace7abad6902d16862da559da551a230e5f520000000d8ce10a9a9a885b1fc578d0de9dccdc482e863331097d6f77cebbfed7235365440000000e388d7436edb3d10fbca96481a165adc3a9e2fb1674e06cbca7ae6298c942ece96120e5e3cd974f59f8dc8e543f2c2ebf0eb0f5bd54f1bfedf179af7aa6c3f86	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340717389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340749381"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cd80246ebed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{898FCB84-2CF2-11EC-AF2E-4E664A3D12E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3800 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3800 iexplore.exe
3800 iexplore.exe
4396 IEXPLORE.EXE
4396 IEXPLORE.EXE
4396 IEXPLORE.EXE
4396 IEXPLORE.EXE

pid	process
3800	iexplore.exe

pid	process
3800	iexplore.exe
3800	iexplore.exe
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE
4396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3800 wrote to memory of 4396	3800	iexplore.exe	IEXPLORE.EXE
PID 3800 wrote to memory of 4396	3800	iexplore.exe	IEXPLORE.EXE
PID 3800 wrote to memory of 4396	3800	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://billeebadass.com/sammy/?i=i&0=user@domain.com.ph
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3800 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
cc0e4c3f1510f881d63f48bc176079fc

SHA1
9b069c515dcb0005494c4e918c79f8376d227a98

SHA256
d1c6fda57eea480c50779a52e0a44da128a75fb5a8420b1ad23c676877253bfc

SHA512
a5f32a12aa2af25ba730526ed5bf55c4f33d5f7f7e987c94cca61c9715f0ac3866a1251709fccf64e6522c96cafcab6f97cbbfef1dcfd11cd9319c7de7562b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
53a9cdf59ac3ba666dd73888c66f6b8b

SHA1
8826ae591ba8b682e5454efc75e366c2b497fe71

SHA256
7264033dbda935781c90c516ebe61dbb761e727135e7ea736acc19f5d3b3f50b

SHA512
da60ac754d29fed76aac86251404f73b2a4d562158e517ffedcfb775e7b522b33266bf7544941c4ba1d255339d4d5bbb2e8f9ea1c0e2538e213c971dad5055d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
3f9508ff665a451b8da9e8a608df44a8

SHA1
f67ec1e1dcd9a54a9a2e61a8b9313b4d05263c73

SHA256
2f73338417da60df6fad8dbf65d8135abda9149f6f3d768294ef580e4d553e26

SHA512
7f48ee9ee86c02a6fb95e8837dc0d7fcd440adf9d31f5a2597fd81d44e4aa3e19e05e1c19e5bb1140a0ed11f7e5cbae95a96a3221390d74c65994e60b6682b57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
c7ac95f73a3ff0ce60ed329becadd058

SHA1
fd6997b3dd46e147f3f046de2076b3034ba01c5a

SHA256
ce5c6be7ee0a5dabe31f9dfce6ae2fb4676eed69df1ce73d7ffff90b936b13c7

SHA512
b801690d657dfeaf278458326026b53b8c5bd58efdfbbc60fdb8537a90a8c71eaf5f91dd196e7043d0c75621acf98f3fc5fff99e83c4986e3b7f58fc3baf1c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\82CLNYQJ.cookie
MD5
b1fc4f31fceb4f8bea623ae1fceeb4a7

SHA1
a899b8e2c02358689629ff8e5011d4e4d13b878e

SHA256
8a84a967df5706451dd944be69e3a330d8a8172aa207a275a3772990f46f0eb2

SHA512
ff1d1c55b3e89114e236d417800bb34633afedbaebdb0e7052b8257e75e9a761dbe706d1791d24686382cd2168083c3344a68b82d3d56f350de3e3ac11af944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\H9XCSS8Y.cookie
MD5
47afb7d5052ca6a5df8db98fb2f10f8f

SHA1
b49f6b9f34630277c0277c654ab89f9646eec864

SHA256
ce1431eb51abf712500c6be5eda7daf2a3581bdce753e217d51c7483a0f5f6e4

SHA512
f3b7a60fc0eb1553f20e2875779857e493f936d60a17fd6c3156f42955cdf0a9f2ab5ccfb480ce825e86efddfc058a6eae7e6235ea440a16d7b3b91f3495ceb4

Download Submit
memory/3800-145-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-150-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-124-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-125-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-127-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-128-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-129-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-131-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-132-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-133-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-134-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-136-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-137-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-138-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-116-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-141-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-142-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-144-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-115-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-147-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-149-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-123-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-151-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-155-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-156-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-157-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-163-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-164-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-165-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-166-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-167-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-168-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-169-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-173-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-175-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-178-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-179-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-122-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-121-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-120-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-119-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-117-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/4396-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing