hxxps://staydrymen[.]com/00/?i=i&0=user@metrobank[.]com[.]ph

General

Target

https://staydrymen.com/00/?i=i&0=user@metrobank.com.ph
Sample

211014-r7dgmshha8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f8632c8dc0d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98E8E25D-2F59-11EC-AF2E-C20F2984D143} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340950619"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340934024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000096479cef95e7662b653514a2dafe45c1a9e50c4dbea068ed6971f803b7a736b0000000000e80000000020000200000006c834c4086751c53a6a548c4d277a6ee0bc40786319cbf8ee2dcce72f12eb2fa200000002a7023931ba978626e2400841baa130c22d47ff7de9ec98864ee1e5915c431e340000000158053473a7f794e63b6e3c97ab74a7d3cbd149a1347ff2847a12fc966d1c0ffe5eaeb88501b64a3cd23ebbce91861acf8f2e02182fdf742ed370cd9c2d83957	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340982610"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1832 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1832 iexplore.exe
1832 iexplore.exe
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE

pid	process
1832	iexplore.exe

pid	process
1832	iexplore.exe
1832	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1832 wrote to memory of 588	1832	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 588	1832	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 588	1832	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://staydrymen.com/00/?i=i&0=user@metrobank.com.ph
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
MD5
057fedb746bdff40c71dfb82c122face

SHA1
4a9954b8ba716cc3f94f1a8cf818ec38f29ad7a0

SHA256
9ce7e71f9995c02a2982594edfa6330db4b1f8341ee7ac89801cf02a4378b706

SHA512
f8ae5d0ba69053aa4ec1630f7ebcb980cc62705bc718fc96905423910a2e1ed417896535fee5f073a6cc486e65cb1c1aa3c83611907f081fe4d07463944d0b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A47811ACE0A13149AC9520EC6DC61E9B_7072B0DEFF0B076CB2E08A268541BEF4
MD5
547ac26126c11eb38b2e1296caa1757e

SHA1
a9974f7eb627f12ff1db055839f2ca1c7632f882

SHA256
c26663718f158b07e1ad699eadfa4237ac94b181e02cfdd0c6848e3005a65ffb

SHA512
12503ad4832b4b3b4173a51e68ba7e9b92bea4de9d00f1e9406ba6459c0eeb904209f78fbe005f3211b6914ea9c897dcfb073c2f49d49b12185ec8c308b18de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
MD5
b84340a2b3dbcacb9c3e118ff6f246b6

SHA1
827a259ad06367598c79815811bfe79cd901f6ec

SHA256
e4f79a5e5273dcbb91bc35fab188d682cc574928e40a572d9ca49321d16abc74

SHA512
bce8e842aeddf456784faafd86fa3750ff1ac24c2fe07f48740303aef085368cca4e1df9bbeb065f0fe37282ad7f2935f4361fe8ac72b057e63a327a858a0b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A47811ACE0A13149AC9520EC6DC61E9B_7072B0DEFF0B076CB2E08A268541BEF4
MD5
4240bbc67f6659d3387b3b4574c76b92

SHA1
7a5b4988c1edfe4372b6ac7ffcb043c764ef094b

SHA256
b640aab7c864f36507ae3dff592f5ed7536c412d16ecef8290a9ed9decdf3e91

SHA512
dfc1c6e61f933799ce23fa9142d790429eebb0d2a9f52572bac2ca7efc89023ed7f59f011a1762b9a8a9d78a6aa0262f065cf124d4cd0c70be3fcd62ba09e30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\favicon[1].ico
MD5
d3986f2abfd927f1a7352ca73a08adc9

SHA1
df17a810959cd9ef89b5c87b90c54f4286c41937

SHA256
4445210428ff8f80625491ad24e1102715d9100f48647b2c8b3282d1065e356e

SHA512
e23dbdf7da0c772910955070c8b1fdbe06aebd62d2ce54a79d3af248d911ab6a9245a493b01324c98a4e0cba19a1c7be1ecd09e6285a717db3895c2853a4de24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A4ISJOKX.cookie
MD5
60f08473da742482ea3c6bf7e3bf7cf0

SHA1
07cb23daf333aed677bd8172771cd9d853f3ee8e

SHA256
fe9f83574a85f6240862e36ff6cde83328bc6e52bc7033ae1ac9fe08999e2d89

SHA512
bb943451a525ac7bf2d3a20bc5dbd1d17fdca4407da1b567d4c54e9be2e059e4016defe7bd741a176cd3f52897cee4411b8d262dbd97b12e88c033f0078eae66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\T65TKY6J.cookie
MD5
3f7df47b5f64c9c0bd28821fcb493201

SHA1
ebd29d10383747a364b41bcfa739a560d1c3eb1b

SHA256
b02f0429305120d803764e283be22c2b0f47ffec3365e58c8b1be8daab114be9

SHA512
ac8bbefd2da3185dd76803b2ed018d77db6d336b5e080a90a103e9e891bf0f963db85b180098b550e923715e637f62e9a7642e7937e44a230bb8054c0b0ec9dd

Download Submit
memory/588-140-0x0000000000000000-mapping.dmp

Download
memory/1832-138-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-147-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-122-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-121-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-123-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-124-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-128-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-129-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-127-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-125-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-131-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-133-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-132-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-135-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-136-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-137-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-119-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-141-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-142-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-144-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-145-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-120-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-149-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-150-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-151-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-155-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-156-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-157-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-163-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-165-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-166-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-164-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-167-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-168-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-169-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-117-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-116-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-115-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-173-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-175-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-178-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download
memory/1832-179-0x00007FFFAB120000-0x00007FFFAB18B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing