hxxps://lxmn3aep4y63fbaf8fc81e6[.]lnder[.]ru/Mrbarkley@barkleyag[.]com

Analysis

max time kernel
101s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lxmn3aep4y63fbaf8fc81e6.lnder.ru/[email protected]

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cloudflare.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cloudflare.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027463"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\cloudflare.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027463"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388485549"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E90B82E3-DCFA-11ED-B7D7-7E7B9EA57A36} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3304976621"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3186692981"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31027463"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3186692981"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3207954275"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d0000000002000000000010660000000100002000000008529d640ddea7a92d0687719f7a14fac7b4c8319513ce9f397a2d806bf47299000000000e80000000020000200000002f4c68b4268ad37939f89e3388f9517570a493027b1688a760341dc92d6b63b8200000005c1bd8d0d99768c8e66fe037dda819eb8bcb7629390a5e6121ee32e6bef3160040000000fc4a53e0043a12508a7d882047714956c190f686dc9d7c477b0fa0b65783a1def970c433100a4b1ef1885f92dedcc99728f8ed99a549c9e242c8d7f42642c22c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027463"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b799b50771d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	iexplore.exe
5012	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5012	iexplore.exe
5012	iexplore.exe
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 5104	5012	iexplore.exe	84
PID 5012 wrote to memory of 5104	5012	iexplore.exe	84
PID 5012 wrote to memory of 5104	5012	iexplore.exe	84
PID 5012 wrote to memory of 3572	5012	iexplore.exe	85
PID 5012 wrote to memory of 3572	5012	iexplore.exe	85
PID 5012 wrote to memory of 3572	5012	iexplore.exe	85

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://lxmn3aep4y63fbaf8fc81e6.lnder.ru/[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5012 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5012 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
3997e4fff915e95c536a47fd320b3f9d

SHA1
5dacf1068b8aab8a29f6f014c9efc7167e42e889

SHA256
d3d39ddb7fdcfd1a41bbd5f75efebe6caa9d01058078f257fe0e81626939d168

SHA512
e1673a7526b35eb4be3afe9caed1c4a9194cbb6d9be55906299c3f6cd4e5f292d75c2e6b28c051b5d2412a7a877f9b1d95207a73565eff7c2be161415c24ebb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
891b5acf10b182162f05a8c36b7b0e22

SHA1
fed1a5048dffb073be946b34a2ec5d06c2834691

SHA256
e3b3d4764d28f69161d04db149d7eab78f50c84f00b21cf0013ff2a06da420ab

SHA512
74a15c06837d5a95adc89d6c48675d169e0f8bc14103874fe84f7a84e1e3b385f832a732543b9aa74fad45bf48335a0050d4d9df1f53945cc7caed1eefbe7679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
cfbc16e33dcbef6f773f0f79af528f45

SHA1
ecb8d5e8107bc671dd57fb2a137c00bffa419f1f

SHA256
f0937890fb1053069baac97b7992c6d22cb74cae20317fc05d51070d96950ffa

SHA512
59ac2ead1eb84edffb06867850beb1e63f72c5b5415abd2fd4e7c2a1922c368f612d2a0288c00e32d5da47c4a77968ffbe72660a8d1f577f44fb20df9c11a4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
449ec2615faffa47e3e3f04e11ce9545

SHA1
aa44e352a837babbeea09857c15049f2000f3bfa

SHA256
f1b5a515cec3c5e255fb7c965ee061f69f8dd7acd64d78e2dc4ebbcbce417691

SHA512
57a0c575e6dafe9fd5ae179d18bd5e3e7e9988877c0895f27c84591723174f2d8572969ab1b30b7a88818afdff74888e11b8114b7c4c549aa0f498ae922d9537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
b1d718f064ff2974ce1ea854c94ff6fd

SHA1
696ea74b4aa34340d345eaaef7b77a87fb41e632

SHA256
ced5954b0f29d38c8048e434fd8b1c7f4b41884016551512da5a7409d5619869

SHA512
81034248c3db3ea6724e56adcba77df13f980162afcd762f5626651e7a228588c120096099de58078973c974c8a9b3dddf0f01265f09e26b5f1550adf316aee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
09294834648efdcaa61170804966d8c8

SHA1
11b80cbcc7b2bf7c860630e64300c3b4f78f2fa6

SHA256
5155c3a87e8b26dc3ea2bd5b423fa444765275cdceaf502ffc041c1a7a3f2b13

SHA512
c495f604b77c17bd4ee5f660fce15b4a70bd7000bfae68b8b3ec8e7549ce5f708346dd3261c77aecaeb671832d55c2b209c658971822c0b71adc398781066e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit