hxxps://j131t35i71[.]execute-api[.]us-west-2[.]amazonaws[.]com/track?curr_track_type=open_track&temp_id=IjIzNjUxNSI_3D&email_id=richard[.]fernez%40wyndham[.]com&s_id=updvov&server=ses&type=replace_drip_type

General

Target

https://j131t35i71.execute-api.us-west-2.amazonaws.com/track?curr_track_type=open_track&temp_id=IjIzNjUxNSI_3D&email_id=richard.fernez%40wyndham.com&s_id=updvov&server=ses&type=replace_drip_type
Sample

211025-xdjz8agee3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a63109125baed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BC527F1-381F-11EC-AF2E-664C7E786535} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341952460"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342001046"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341969055"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3076 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3076 iexplore.exe
3076 iexplore.exe
3144 IEXPLORE.EXE
3144 IEXPLORE.EXE
3144 IEXPLORE.EXE
3144 IEXPLORE.EXE

pid	process
3076	iexplore.exe

pid	process
3076	iexplore.exe
3076	iexplore.exe
3144	IEXPLORE.EXE
3144	IEXPLORE.EXE
3144	IEXPLORE.EXE
3144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3076 wrote to memory of 3144	3076	iexplore.exe	IEXPLORE.EXE
PID 3076 wrote to memory of 3144	3076	iexplore.exe	IEXPLORE.EXE
PID 3076 wrote to memory of 3144	3076	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://j131t35i71.execute-api.us-west-2.amazonaws.com/track?curr_track_type=open_track&temp_id=IjIzNjUxNSI_3D&email_id=richard.fernez%40wyndham.com&s_id=updvov&server=ses&type=replace_drip_type
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3076 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\D4MAJHBY.cookie
MD5
37220cafbc6f39f478beb00723f66535

SHA1
76c6ff151ce77f77f0ad71bb2c19325d66cacc78

SHA256
ea6bba586611e36a29b5ee745813058092c0b61837f94baedecdd1afb886b267

SHA512
6ddd84d9d2fe52164e8a1619e1191c3a05f2a8a6853b6a7e9aa95c992568ebc2cadd7fac639c4b149442ec643e6efba35adff38359789f5ac6d3dfa274a9229d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\S80CZGPS.cookie
MD5
e272f3fd5037549f0af7cd2a1cc87412

SHA1
064a84f9833954b90fc279dcf406706cb1931b28

SHA256
bb8ac0c442cff6268e52b71874d65d93bf5d21213123e0bd139fd75a673012fd

SHA512
81cfd115f7041af424a14c4ccb0c6a380344bb2113e84f622d13c0eabcb4eb0e4496d5348970ace5f64555535f4c52aea79d0a7ed5b251a8eb93eb7ed5233031

Download Submit
memory/3076-156-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-125-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-120-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-142-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-122-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-145-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-124-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-144-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-127-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-129-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-128-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-131-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-132-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-133-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-134-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-136-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-137-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-138-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-116-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-141-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-121-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-119-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-123-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-147-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-149-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-150-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-151-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-155-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-115-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-157-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-163-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-164-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-165-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-166-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-167-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-168-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-169-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-173-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-174-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3076-117-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/3144-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads