hxxps://rmj5b[.]codesandbox[.]io/?dg=jose_a_feliz@claro[.]com[.]do

General

Target

https://rmj5b.codesandbox.io/?dg=jose_a_feliz@claro.com.do
Sample

211018-wf5t2aebe6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmj5b.codesandbox.io	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BBED6D01-3297-11EC-AF2E-FE4672F7746C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmj5b.codesandbox.io\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\Total = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmj5b.codesandbox.io\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1684 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1684 iexplore.exe
1684 iexplore.exe
3328 IEXPLORE.EXE
3328 IEXPLORE.EXE
3328 IEXPLORE.EXE
3328 IEXPLORE.EXE

pid	process
1684	iexplore.exe

pid	process
1684	iexplore.exe
1684	iexplore.exe
3328	IEXPLORE.EXE
3328	IEXPLORE.EXE
3328	IEXPLORE.EXE
3328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1684 wrote to memory of 3328	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 3328	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 3328	1684	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://rmj5b.codesandbox.io/?dg=jose_a_feliz@claro.com.do
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
1455d22c553b285c8f185634919b1213

SHA1
42c08ceb4015831f59913382277b1d8049e6429b

SHA256
1352ef5ad9f7d586e3f3e87f3d18520ed4387c92ae32162f6507410d47c3dbe0

SHA512
ea9231f6723e8f76b6d8e1ad9ac9e95710996ab2878d6210a034721e12f88cfea5213325f2659d1cdd7a3181ef286d4aafdf9b0102786755ddcab84f9fab2975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
c98839fe5ec366bfc74236fd23a854f3

SHA1
512aede6c39ffbc3b4ad9e498c3ba92f365ba692

SHA256
70e20fb6efd90ff3bfe83681be2fd3649912c7d9026be71b26f1a16c000e8eef

SHA512
5c8f2b4f33d9225efdc3f474c9740a56fb965ecf61e9822678f52681d4ba1ab82c7582e45934ee99af7543819eea9ec6e9fa0c0bd752abd0d27749e629db71d9

Download Submit
memory/1684-142-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-121-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-120-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-144-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-122-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-123-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-125-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-124-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-127-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-128-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-115-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-131-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-145-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-134-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-135-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-136-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-137-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-138-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-116-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-141-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-129-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-119-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-132-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-147-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-149-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-150-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-151-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-155-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-156-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-157-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-163-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-164-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-165-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-166-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-167-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-168-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-169-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-170-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-171-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-174-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-176-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-179-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/1684-117-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/3328-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing