da5007b3da914a87cb0b8cb4540b59d08761aeddf058f09aea3b854c43c69bae

General

Target

29fb7632d7e495f0f9f23524d130fd81.exe
Size

305KB
MD5

29fb7632d7e495f0f9f23524d130fd81
SHA1

6fab23aec1df3c36755707bc7fe15da370e2776a
SHA256

da5007b3da914a87cb0b8cb4540b59d08761aeddf058f09aea3b854c43c69bae
SHA512

67f1d51f51a8018a9d1bf3e92bfe745720e95655281a250e945043819ea849fe50e78e4ad8671dec1e1b2f5380f44e288eb73df87110cbb221b5b5c1b63a40a1
SSDEEP

6144:/Ya6H1VsdE/dfnLAthYJpvak1cITgTo+BGms2uOUSgxo/o7LWFfXgwSXbOU0d4wE:/Yl3wgdfLUmJNJqI8NY50ofg4wSKU0WJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	lsmlekitre.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	lsmlekitre.exe
1964	lsmlekitre.exe

Loads dropped DLL 3 IoCs

pid	Process
1784	29fb7632d7e495f0f9f23524d130fd81.exe
1940	lsmlekitre.exe
2012	systray.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1964	1940	lsmlekitre.exe	29
PID 1964 set thread context of 1220	1964	lsmlekitre.exe	3
PID 2012 set thread context of 1220	2012	systray.exe	3

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1964	lsmlekitre.exe
1964	lsmlekitre.exe
1964	lsmlekitre.exe
1964	lsmlekitre.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1940	lsmlekitre.exe
1964	lsmlekitre.exe
1964	lsmlekitre.exe
1964	lsmlekitre.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe
2012	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	lsmlekitre.exe
Token: SeDebugPrivilege	2012	systray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1940	1784	29fb7632d7e495f0f9f23524d130fd81.exe	28
PID 1784 wrote to memory of 1940	1784	29fb7632d7e495f0f9f23524d130fd81.exe	28
PID 1784 wrote to memory of 1940	1784	29fb7632d7e495f0f9f23524d130fd81.exe	28
PID 1784 wrote to memory of 1940	1784	29fb7632d7e495f0f9f23524d130fd81.exe	28
PID 1940 wrote to memory of 1964	1940	lsmlekitre.exe	29
PID 1940 wrote to memory of 1964	1940	lsmlekitre.exe	29
PID 1940 wrote to memory of 1964	1940	lsmlekitre.exe	29
PID 1940 wrote to memory of 1964	1940	lsmlekitre.exe	29
PID 1940 wrote to memory of 1964	1940	lsmlekitre.exe	29
PID 1220 wrote to memory of 2012	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2012	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2012	1220	Explorer.EXE	30
PID 1220 wrote to memory of 2012	1220	Explorer.EXE	30
PID 2012 wrote to memory of 1508	2012	systray.exe	33
PID 2012 wrote to memory of 1508	2012	systray.exe	33
PID 2012 wrote to memory of 1508	2012	systray.exe	33
PID 2012 wrote to memory of 1508	2012	systray.exe	33
PID 2012 wrote to memory of 1508	2012	systray.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\29fb7632d7e495f0f9f23524d130fd81.exe
  "C:\Users\Admin\AppData\Local\Temp\29fb7632d7e495f0f9f23524d130fd81.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe
    "C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe" C:\Users\Admin\AppData\Local\Temp\rdkswobyge.xvj
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe
      "C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bodivqob.itv

Filesize
206KB

MD5
06cf0b75c32755e25f7ccbb53488c1ab

SHA1
966d0e5e42a126d6a7f5d9939162451001401ee9

SHA256
0286d9505bc1d23e39e55a386a9eed31c5f0b33da8164a83f269920ed7babd38

SHA512
c194667f4b0b448b034cc709b1e2f7be683f775e1cd09dec291689d20aa7f0e07596d8ab3bc7abd251ed62fc0c2dc7c1612a555c44b6ff82a142b30b9a9f41ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdkswobyge.xvj

Filesize
5KB

MD5
beaf14bcc9a2f078e8cf6f728b615427

SHA1
f33592699222c77834744e72c04070470eda42ca

SHA256
573e1395653c5dc2821d30f10382fc10ac7482296c5d6e6917bd3e78866af3bf

SHA512
4ea4ef425ef90551cf359049d034098f5d0fbaccd999345a0dcac246f278b48efd3dd3bcccc6fe9b41f7b4531397eba69aa48d9c7d297c53b7d42d8367c7174b

Download Submit
\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/1220-68-0x0000000006200000-0x00000000062B3000-memory.dmp

Filesize
716KB

Download
memory/1220-76-0x0000000006600000-0x00000000066A7000-memory.dmp

Filesize
668KB

Download
memory/1220-74-0x0000000006600000-0x00000000066A7000-memory.dmp

Filesize
668KB

Download
memory/1784-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1964-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-67-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1964-66-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2012-70-0x0000000000840000-0x0000000000845000-memory.dmp

Filesize
20KB

Download
memory/2012-71-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/2012-72-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/2012-73-0x0000000000750000-0x00000000007DF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing