322bafdb9119a0cbfd1dd84675bc6780c63f07c2c52040fc24fe7943cae3def4

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-02-2023 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lithium_SS_Tool.exe.url
Size

123B
MD5

75892c189979339b6ad016b440f4c3e5
SHA1

3cda0f4bf4d1c06e475a850635aa7590283d9623
SHA256

322bafdb9119a0cbfd1dd84675bc6780c63f07c2c52040fc24fe7943cae3def4
SHA512

b52dc1fb15d2bf28b8d9593883b28c3fdaaf1bbc7d04f6458a5faa23307bf29187e1680bdd4cc19fe425eda678270231600fbc87088224abbfdd0edd6d2595cf

Score

8^/10

agilenet evasion trojan

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Lithium_SS_Tool.exeLthmodules.exe

pid process

1728 Lithium_SS_Tool.exe
812 Lthmodules.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

764 cmd.exe

pid	process
1728	Lithium_SS_Tool.exe
812	Lthmodules.exe

pid	process
764	cmd.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1728-152-0x0000000009200000-0x0000000009C96000-memory.dmp	agile_net
behavioral1/memory/1728-155-0x0000000000460000-0x0000000000478000-memory.dmp	agile_net
behavioral1/memory/1728-158-0x0000000009DA0000-0x0000000009EEA000-memory.dmp	agile_net

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 0078cd23cd48d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384062354"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A567751-B4C0-11ED-BCA3-6E0AA2656971} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Lithium_SS_Tool.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Lithium_SS_Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Lithium_SS_Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Lithium_SS_Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Lithium_SS_Tool.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Lthmodules.exeLithium_SS_Tool.exe

pid	process
812	Lthmodules.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe
1728	Lithium_SS_Tool.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Lithium_SS_Tool.exeLthmodules.exe

description pid process

Token: SeDebugPrivilege 1728 Lithium_SS_Tool.exe
Token: SeDebugPrivilege 812 Lthmodules.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

572 iexplore.exe
572 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

572 iexplore.exe
572 iexplore.exe
660 IEXPLORE.EXE
660 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1728	Lithium_SS_Tool.exe
Token: SeDebugPrivilege	812	Lthmodules.exe

pid	process
572	iexplore.exe
572	iexplore.exe

pid	process
572	iexplore.exe
572	iexplore.exe
660	IEXPLORE.EXE
660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

iexplore.exeLithium_SS_Tool.execmd.exe

description	pid	process	target process
PID 572 wrote to memory of 660	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 660	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 660	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 660	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 1728	572	iexplore.exe	Lithium_SS_Tool.exe
PID 572 wrote to memory of 1728	572	iexplore.exe	Lithium_SS_Tool.exe
PID 572 wrote to memory of 1728	572	iexplore.exe	Lithium_SS_Tool.exe
PID 572 wrote to memory of 1728	572	iexplore.exe	Lithium_SS_Tool.exe
PID 1728 wrote to memory of 764	1728	Lithium_SS_Tool.exe	cmd.exe
PID 1728 wrote to memory of 764	1728	Lithium_SS_Tool.exe	cmd.exe
PID 1728 wrote to memory of 764	1728	Lithium_SS_Tool.exe	cmd.exe
PID 1728 wrote to memory of 764	1728	Lithium_SS_Tool.exe	cmd.exe
PID 764 wrote to memory of 812	764	cmd.exe	Lthmodules.exe
PID 764 wrote to memory of 812	764	cmd.exe	Lthmodules.exe
PID 764 wrote to memory of 812	764	cmd.exe	Lthmodules.exe
PID 764 wrote to memory of 812	764	cmd.exe	Lthmodules.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Lithium_SS_Tool.exe.url
1⤵
- Checks whether UAC is enabled
PID:1248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:660

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\Lithium_SS_Tool.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\Lithium_SS_Tool.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\ProgramData\Yinx && Lthmodules.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\ProgramData\Yinx\Lthmodules.exe
Lthmodules.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Yinx\Lthmodules.exe
Filesize
5KB

MD5
98abf6dff5cda66b958a679f1244c089

SHA1
ed5b73fc414dccb83d6490ad2d633d7902db815c

SHA256
fc8a54d98e0e1eba585221545cada13d2e8d4b9242225137d0c446da29c9ca49

SHA512
0701dcfbaa5c1dceb7404d5b4289e8acf49298eda2d9bb9711565bb21d6e6652ee873c2158cad8c09ead17dcd4bab24f5f656d840b079a23c1e8b72084c76751

Download Submit
C:\ProgramData\Yinx\Lthmodules.exe
Filesize
5KB

MD5
98abf6dff5cda66b958a679f1244c089

SHA1
ed5b73fc414dccb83d6490ad2d633d7902db815c

SHA256
fc8a54d98e0e1eba585221545cada13d2e8d4b9242225137d0c446da29c9ca49

SHA512
0701dcfbaa5c1dceb7404d5b4289e8acf49298eda2d9bb9711565bb21d6e6652ee873c2158cad8c09ead17dcd4bab24f5f656d840b079a23c1e8b72084c76751

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5b412c9f8f64c9aa3752a0cc08294411

SHA1
a617f2f2486cb1f8fa73a907eaf875abb94ef1ea

SHA256
5b33a5ca8933af4cf0ab9ffee09612115319c35253c35750e4c05e0ae819453b

SHA512
53d36c0d8ef8910bc9203c26352f7981f1dd4519adc191b9ab9c67484ccddc26f16b68951851065b10f3b8b8b454812e1eb47af5ca0751ced35a115472996670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
83c2eb25500e6daa57cdbc277fc2bb1a

SHA1
1c82ca419ae87086c6dd6ebcf6a343e1bb322d3a

SHA256
f9ddf4e7392f511ad1a71204b1bfaf7f24febe726e2ea2aefb72e9f6a1f914db

SHA512
fcc2d9510ffcd4cc1ff0cd57ec116ea108270f08733b36796e019132eb86f7ca172230d949daf294ddd0e14ec8b01cca49493e23c2a993c9dd498709c178d7b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8029b363de4468167f3054c4a1dffefb

SHA1
465af4c6220acac5dbed490a1452ece009e26fe9

SHA256
51bebab9ac2f03eee2a2f0df86eb0ee68fb80d30e6b08bf6e2092d6deb6593d6

SHA512
83b5be94b1e4e6fd90451d365c4bbb107771940d26207f344858a6f88928eeca4cedd4ff6f30b7d5a057df5016e83046b6ed2c2d5290dac304dc66a44c947f6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
793c3833589f2cea8ec7daeb7d3b11b3

SHA1
1d9ef4b8730d1e529f92ea079a94b369c3851c6d

SHA256
3ce6e4e9d8e0e32c9114dd14441e92ee037872a969e6d9ec523d1455b3ebfc5a

SHA512
bb4fe166dab83705663d189b29a32d5313d528e025eb88610de06fc7e0916559c9e59d8d290c73d26503280932f7aba40f8e3175a896a3284df6e3d3d27c5637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\Lithium_SS_Tool.exe
Filesize
5.4MB

MD5
ebe2be9d6019addd2d3b694b608f8704

SHA1
316e5af80769cd18ab700cb49d2ee512090d5ac5

SHA256
39b8a959c436bf0512b8f1719f4c4d7a7a3e9bc86e328643b5828897ca3c16d3

SHA512
3d75f4e81937fab6ff9885642c25763f46b20157120df921cce099dcb75cba9ac57a0886bfd8f85e0696ab6a732231c3830245faab6491882323fb9bc5314d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\Lithium_SS_Tool.exe.5ss61a7.partial
Filesize
5.4MB

MD5
ebe2be9d6019addd2d3b694b608f8704

SHA1
316e5af80769cd18ab700cb49d2ee512090d5ac5

SHA256
39b8a959c436bf0512b8f1719f4c4d7a7a3e9bc86e328643b5828897ca3c16d3

SHA512
3d75f4e81937fab6ff9885642c25763f46b20157120df921cce099dcb75cba9ac57a0886bfd8f85e0696ab6a732231c3830245faab6491882323fb9bc5314d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\Lithium_SS_Tool[1].exe
Filesize
5.4MB

MD5
ebe2be9d6019addd2d3b694b608f8704

SHA1
316e5af80769cd18ab700cb49d2ee512090d5ac5

SHA256
39b8a959c436bf0512b8f1719f4c4d7a7a3e9bc86e328643b5828897ca3c16d3

SHA512
3d75f4e81937fab6ff9885642c25763f46b20157120df921cce099dcb75cba9ac57a0886bfd8f85e0696ab6a732231c3830245faab6491882323fb9bc5314d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9493.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9513.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FTPEXQLT.txt
Filesize
600B

MD5
bd6e5304b9f9283c37dc89111eb9b76e

SHA1
cd1d5d64f6b8b5311086c58db7e1a95ef8615ae1

SHA256
14b837feb38ca82e1f5a1b79e5a8791215ce34448bff6e8764d1c3e46631e212

SHA512
1729ced31758976e62bd4789e3ecd2e0ee481025efe51576d50a82faedbc039dbe631621fa0957da21fb23d499ccc053aa2f7abecae358e45c19b9a020a3681f

Download Submit
\ProgramData\Yinx\Lthmodules.exe
Filesize
5KB

MD5
98abf6dff5cda66b958a679f1244c089

SHA1
ed5b73fc414dccb83d6490ad2d633d7902db815c

SHA256
fc8a54d98e0e1eba585221545cada13d2e8d4b9242225137d0c446da29c9ca49

SHA512
0701dcfbaa5c1dceb7404d5b4289e8acf49298eda2d9bb9711565bb21d6e6652ee873c2158cad8c09ead17dcd4bab24f5f656d840b079a23c1e8b72084c76751

Download Submit
memory/572-54-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/660-55-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/812-169-0x000000013F760000-0x000000013F766000-memory.dmp

Filesize
24KB

Download
memory/1728-150-0x0000000001080000-0x00000000015F6000-memory.dmp

Filesize
5.5MB

Download
memory/1728-162-0x000000000E750000-0x000000000E8B4000-memory.dmp

Filesize
1.4MB

Download
memory/1728-163-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download
memory/1728-164-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download
memory/1728-161-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/1728-160-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/1728-159-0x0000000009EF0000-0x000000000A006000-memory.dmp

Filesize
1.1MB

Download
memory/1728-158-0x0000000009DA0000-0x0000000009EEA000-memory.dmp

Filesize
1.3MB

Download
memory/1728-170-0x0000000006280000-0x00000000062A0000-memory.dmp

Filesize
128KB

Download
memory/1728-157-0x0000000000A60000-0x0000000000ACA000-memory.dmp

Filesize
424KB

Download
memory/1728-260-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download
memory/1728-261-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download
memory/1728-262-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download
memory/1728-156-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1728-155-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/1728-152-0x0000000009200000-0x0000000009C96000-memory.dmp

Filesize
10.6MB

Download
memory/1728-151-0x0000000005420000-0x0000000005460000-memory.dmp

Filesize
256KB

Download