1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b

General

Target

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
Size

483KB
MD5

cc6508c655aa5ad24cee66148b841d87
SHA1

9c845c777287c9048cef6838416b54259f8d7eab
SHA256

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b
SHA512

a49636bf7e60e876757d148473279298c8eb0c5d34a3e2aec0de8416f1885a3664cb8364212b49a277e01abfa6ade76a1d25c52939f7a97c1c38fe16cea95312
SSDEEP

12288:PH/5rxiLJgVTFZNg+aU/UBrxiLJgVTFZNg+aU/Uh:PnUqVTTN5aU/UHUqVTTN5aU/Uh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

elyl.exeelyl.exe

pid process

576 elyl.exe
1912 elyl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

616 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

pid process

2028 1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

pid	process
576	elyl.exe
1912	elyl.exe

pid	process
616	cmd.exe

pid	process
2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

elyl.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	elyl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E1315C7D-7721-31FA-E60D-A28ABA701284} = "C:\\Users\\Admin\\AppData\\Roaming\\Lusawi\\elyl.exe"	elyl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exeelyl.exe

description	pid	process	target process
PID 1740 set thread context of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 576 set thread context of 1912	576	elyl.exe	elyl.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

elyl.exe

pid	process
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe
1912	elyl.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exeelyl.exe

pid process

1740 1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
576 elyl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

description pid process

Token: SeSecurityPrivilege 2028 1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

pid	process
1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
576	elyl.exe

description	pid	process
Token: SeSecurityPrivilege	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exeelyl.exeelyl.exe

description	pid	process	target process
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1740 wrote to memory of 2028	1740	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 2028 wrote to memory of 576	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	elyl.exe
PID 2028 wrote to memory of 576	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	elyl.exe
PID 2028 wrote to memory of 576	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	elyl.exe
PID 2028 wrote to memory of 576	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 576 wrote to memory of 1912	576	elyl.exe	elyl.exe
PID 1912 wrote to memory of 1120	1912	elyl.exe	taskhost.exe
PID 1912 wrote to memory of 1120	1912	elyl.exe	taskhost.exe
PID 1912 wrote to memory of 1120	1912	elyl.exe	taskhost.exe
PID 1912 wrote to memory of 1120	1912	elyl.exe	taskhost.exe
PID 1912 wrote to memory of 1120	1912	elyl.exe	taskhost.exe
PID 1912 wrote to memory of 1172	1912	elyl.exe	Dwm.exe
PID 1912 wrote to memory of 1172	1912	elyl.exe	Dwm.exe
PID 1912 wrote to memory of 1172	1912	elyl.exe	Dwm.exe
PID 1912 wrote to memory of 1172	1912	elyl.exe	Dwm.exe
PID 1912 wrote to memory of 1172	1912	elyl.exe	Dwm.exe
PID 1912 wrote to memory of 1204	1912	elyl.exe	Explorer.EXE
PID 1912 wrote to memory of 1204	1912	elyl.exe	Explorer.EXE
PID 1912 wrote to memory of 1204	1912	elyl.exe	Explorer.EXE
PID 1912 wrote to memory of 1204	1912	elyl.exe	Explorer.EXE
PID 1912 wrote to memory of 1204	1912	elyl.exe	Explorer.EXE
PID 1912 wrote to memory of 2028	1912	elyl.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1912 wrote to memory of 2028	1912	elyl.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1912 wrote to memory of 2028	1912	elyl.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1912 wrote to memory of 2028	1912	elyl.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 1912 wrote to memory of 2028	1912	elyl.exe	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
PID 2028 wrote to memory of 616	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	cmd.exe
PID 2028 wrote to memory of 616	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	cmd.exe
PID 2028 wrote to memory of 616	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	cmd.exe
PID 2028 wrote to memory of 616	2028	1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe	cmd.exe
PID 1912 wrote to memory of 616	1912	elyl.exe	cmd.exe
PID 1912 wrote to memory of 616	1912	elyl.exe	cmd.exe
PID 1912 wrote to memory of 616	1912	elyl.exe	cmd.exe
PID 1912 wrote to memory of 616	1912	elyl.exe	cmd.exe
PID 1912 wrote to memory of 616	1912	elyl.exe	cmd.exe
PID 1912 wrote to memory of 1072	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 1072	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 1072	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 1072	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 1072	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 880	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 880	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 880	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 880	1912	elyl.exe	DllHost.exe
PID 1912 wrote to memory of 880	1912	elyl.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
"C:\Users\Admin\AppData\Local\Temp\1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe
"C:\Users\Admin\AppData\Local\Temp\1bf1e0b4de0df75aa6508dc992d5b51493c16b1cc44d8147f6d58d2de582a52b.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
"C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
"C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfcfd075c.bat"
4⤵
- Deletes itself
PID:616

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfcfd075c.bat
Filesize
307B

MD5
e1730168f338c1a97c728f404341bfba

SHA1
72c646ef66f1df4d30b14578c21b92ec513a0879

SHA256
570b3448134849b8652900c739fbf420556094fee88b42cc0faaabe2e6ccebff

SHA512
527723fc3a1c298f9d827958a822bfdd71ffb3de5458723126fc8526e72d1c2d4bde2837df10c84a822c79bfe4b6115a781609df0867619c9e9f0439d970c783

Download Submit
C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
Filesize
483KB

MD5
304ed2319d3852c087c15de6c65102a1

SHA1
3cf4df83e22dd34c0af2323a042a44630d1e40d1

SHA256
bca0475ec69122a0f823638cbfe4815efbc6ae49f75316d8c6bebd877acfb07c

SHA512
2d70bcc33bca3eb900aa600fdcadc611a24caaf870a82c19ca9a73fead987cdf91cd7efeba734d6a49262b226a3844c4a58c45f79ab289139844e9aa4a210339

Download Submit
C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
Filesize
483KB

MD5
304ed2319d3852c087c15de6c65102a1

SHA1
3cf4df83e22dd34c0af2323a042a44630d1e40d1

SHA256
bca0475ec69122a0f823638cbfe4815efbc6ae49f75316d8c6bebd877acfb07c

SHA512
2d70bcc33bca3eb900aa600fdcadc611a24caaf870a82c19ca9a73fead987cdf91cd7efeba734d6a49262b226a3844c4a58c45f79ab289139844e9aa4a210339

Download Submit
C:\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
Filesize
483KB

MD5
304ed2319d3852c087c15de6c65102a1

SHA1
3cf4df83e22dd34c0af2323a042a44630d1e40d1

SHA256
bca0475ec69122a0f823638cbfe4815efbc6ae49f75316d8c6bebd877acfb07c

SHA512
2d70bcc33bca3eb900aa600fdcadc611a24caaf870a82c19ca9a73fead987cdf91cd7efeba734d6a49262b226a3844c4a58c45f79ab289139844e9aa4a210339

Download Submit
\Users\Admin\AppData\Roaming\Lusawi\elyl.exe
Filesize
483KB

MD5
304ed2319d3852c087c15de6c65102a1

SHA1
3cf4df83e22dd34c0af2323a042a44630d1e40d1

SHA256
bca0475ec69122a0f823638cbfe4815efbc6ae49f75316d8c6bebd877acfb07c

SHA512
2d70bcc33bca3eb900aa600fdcadc611a24caaf870a82c19ca9a73fead987cdf91cd7efeba734d6a49262b226a3844c4a58c45f79ab289139844e9aa4a210339

Download Submit
memory/576-68-0x0000000000000000-mapping.dmp

Download
memory/616-114-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/616-113-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/616-107-0x0000000000000000-mapping.dmp

Download
memory/616-112-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/880-126-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/880-128-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/880-129-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/880-127-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1072-122-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/1072-123-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/1072-121-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/1072-120-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/1120-86-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1120-85-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1120-87-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1120-88-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1172-92-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1172-94-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1172-91-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1172-93-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/1204-100-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1204-99-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1204-98-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1204-97-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1740-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1912-117-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1912-78-0x0000000000413048-mapping.dmp

Download
memory/2028-109-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/2028-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-103-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/2028-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-104-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/2028-106-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/2028-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-105-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/2028-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-62-0x0000000000413048-mapping.dmp

Download
memory/2028-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2028-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads