https://leymk.com

General
Target

https://leymk.com

Filesize

N/A

Completed

22-07-2021 08:13

Score
1 /10
Malware Config
Signatures 4

Filter: none

Defense Evasion
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30899921"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899921"IEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00af8ec0d17ed701iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001452069efd36d647823313dce234f38300000000020000000000106600000001000020000000c096c451d2965c600cbee7eb78dff5d9951f9f8b9207f012886cac79ed05160a000000000e8000000002000020000000677c8ad33937b58d6b68d6fd48ad7df7e464de5649241d9afc88b150ae18f0802000000035fc8390e7de0286511e1e850698d3a75a5807bd5ebe82548eac086a4c40377840000000c7745304bb32f59b2c15ca0ef11ff93cc39d2e2179a092fd0c4f7149620ff0cefe9471b4e841893704b1c86477817708d675cb0e9817cd283bb115dd4018758diexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPressiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "333723270"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302b79c0d17ed701iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "333755262"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManageriexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899921"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Metaiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$bloggeriexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9343E63-EAC4-11EB-A11C-56F1F4F21F1A} = "0"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAheadiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligentiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3186950057"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3186950057"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManagerIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3196950171"IEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWikiiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificateiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001452069efd36d647823313dce234f38300000000020000000000106600000001000020000000788f65c1370a8ccdf1421a192b31c782da93d7e51d3bbe0c64de78f3a795ed01000000000e8000000002000020000000944508097e785cf5abc29c9be61d53f1cae005a8733d5a6ce46e47cd4f741e97200000006dd1c4846f591bade85836c4d59469246ca11c280ade18416c29b639e78cf4e1400000007af7b58adbb853aaf598b1429d7a507dee793b9fe52700ca20b7028cc5c8df4206486f8f299156d8fb937fc139d04138eb779fbbb31635fd94208d5ef02a9586iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333706676"iexplore.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    4064iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    4064iexplore.exe
    4064iexplore.exe
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
    1564IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    iexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4064 wrote to memory of 15644064iexplore.exeIEXPLORE.EXE
    PID 4064 wrote to memory of 15644064iexplore.exeIEXPLORE.EXE
    PID 4064 wrote to memory of 15644064iexplore.exeIEXPLORE.EXE
Processes 2
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://leymk.com
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:82945 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1564
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                          MD5

                          4e64ee3a1f4c34f528e8de9b728dbca6

                          SHA1

                          9b27bb889cc2fe2fbb89c0c7c8aa16a841291499

                          SHA256

                          ec75d601fb9309c65a60ad6bd10b10c5927c77648d42de670003dc0b2693105b

                          SHA512

                          e23b06910c9009d254dba06b1fe8910d10fd0c11cf0ad22ebf21cf41765da0f51f9179eeb39ca7317cf3ccfcce01622914171ebb9e7c661373dbc92acf9676bf

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD8A76660D29E4674C979068401F4A5E

                          MD5

                          2969f8172859e38c84ac1cdd3dee1c27

                          SHA1

                          9445bbb8c4371189e2e3cf7b8d66b21a51b33622

                          SHA256

                          c008e5e4eb083461421172c280ee4e3d79658fc8b1859af348247fbea03f010a

                          SHA512

                          2e8be3275624af93a2accca57de5007ce2cf7309ec1e7c1d5339781aa6b042fcd5f3a09298658356bb916f1afb55f3b38ab2f67c5e62e1c2df228ec52e804147

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D

                          MD5

                          ff44b3a52a454952b12137de46469f3f

                          SHA1

                          290e0c0d536575b6e55cc93b13189c37a5026289

                          SHA256

                          f04b73eaa2fd17b635cb907bf0d5386b512d66b003926f4de7ceab6d2ef27e27

                          SHA512

                          260561ce42ffa365405c9c068dd2dbff8a37915344fd5e49673765249c3b1e192ff12cbf6c4d35a1159512c021ff4b07c58b2ddc66f6892a7411e4689084e927

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                          MD5

                          319420b062c2b89009d8fa4f9ef85b65

                          SHA1

                          956c70d42dce4fd83ebe7e57eb405ef634a4733b

                          SHA256

                          a89da85c2c4ca42a12f75be40f657ed5e4b59b6b15a88e882f2ccb1523f569d3

                          SHA512

                          1ec72dc45118393dbd23ccf7d4ec1f803f4ef776ab4f31ae694ac3d7dee34a2e3e56d17502649fef116ba8f13d19cd17d53a7b5761567be553eafb8646d35a9f

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD8A76660D29E4674C979068401F4A5E

                          MD5

                          027eac2937e385a761b8eae5069d1ccc

                          SHA1

                          dea9017367be5f093e155a00760da83b257a699d

                          SHA256

                          6b56b0a22020f99bfc2c56093fa4cf879b6cf8d494710a6d0baf11d2df10aba7

                          SHA512

                          fbdf47c512d406422e1a3d0bc00f084687af42d392f8cde146579f1877cba0b97d18991175e1177d416be9cfdd58b3648fc09bf79384a64caa0ea5b9fba5f5d9

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D

                          MD5

                          a559d3fa6f6a72e9e10df99bbbc49fe3

                          SHA1

                          9d3f64b33059344e0087ff89ce87d44c71c2a866

                          SHA256

                          741e30218c0a4b36ee09a2c01dea44e3eb8328b26dd1f385470fe2fe1258ba05

                          SHA512

                          6f1e582af9f973ee22e599ad057fe8d28c1baa15dc029af5d4ee2ae18ace9d0d37de0b16912fac0af343a312a6b80381eada24b2a09182f817a93b6d02e9ec2e

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BEI15QNQ.cookie

                          MD5

                          a0d3e0e088f5f33b096ab713dda83e5e

                          SHA1

                          00ef5ae21783586a3fc1a2f3c7434dc14b381e98

                          SHA256

                          1c37387c8b079cb2fef6291edb25e98037861cb361b21fae1bf426c730a8ad7d

                          SHA512

                          b3940a499bbc137eb1bd6acfbf9045d4ccc2b8b7f335f492111bf6b38a700de19ad949095d88fec77eb79b3f1151616b9282e5fb5f8b90c42700a4c50d3231d2

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FMWJX2ER.cookie

                          MD5

                          79bf0865fffc82ea5a96241203150997

                          SHA1

                          06fa0719e1ae906b134d60cdddc30b958f5f1878

                          SHA256

                          11391213c74dc8b7da2408274d10dd6cd76fb77e9dec92eb45104f82e7e57557

                          SHA512

                          62ec75da2c31021b01861a2bce0975ed3e46d96b27a5b1407a165d432340a63d94baf2e5adb4da27a6d6952691ca1d9db84a50d29f691b96ad5debc2e896d8c7

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LQOUU18S.cookie

                          MD5

                          acd72e7ebfc8f7c142a4aaf6ae6c484f

                          SHA1

                          99573e9ff7fa1c19d0f2f5b895fd3b1f9a1238d4

                          SHA256

                          f6b8b1b17629fc79b18b58ca146457e2048af16e93474c274b8ac583fa892081

                          SHA512

                          d0eb9bcce4bd9f6406aa06c7357c56d2589a241ca25352f3ff873186eb0578a08fd27a6a7e6fec49d6f23eaae3b16f98fd9d6d06dd8863ab6dc662b9f100d5b6

                        • memory/1564-115-0x0000000000000000-mapping.dmp

                        • memory/4064-114-0x00007FFDD9AB0000-0x00007FFDD9B1B000-memory.dmp