hxxps://github[.]com/imperiska/lekers/blob/main/uthjasjedf[.]exe

Resubmissions

25-01-2025 13:26

250125-qp1zjswmhj 10

25-01-2025 13:25

250125-qn4ztawmdr 3

24-01-2025 18:46

250124-xepxvstpdk 10

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8037CF1-DB1F-11EF-AB3B-C60424AAF5E1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2352	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2352	iexplore.exe
2352	iexplore.exe
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2128	2352	iexplore.exe	30
PID 2352 wrote to memory of 2128	2352	iexplore.exe	30
PID 2352 wrote to memory of 2128	2352	iexplore.exe	30
PID 2352 wrote to memory of 2128	2352	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/imperiska/lekers/blob/main/uthjasjedf.exe
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
0ee4d1b0b6a9a03365ebdb0cf9890f4b

SHA1
fe6a080141710a2fcc78eb6973d4a4aab295f980

SHA256
2edd8c054dbd727a144055d2ce854631c1acb63394e5921d13c2e906db6f95c2

SHA512
4dd65f719e727ab8c6a911a69840773680f0ba9daed6ab87773914d9e33478143bf9dda77b51addb295f3cf0eecbba809da09ffb7569ef14aace911fb4297934

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
1377275d5101b19fca91b1d9c3598e4a

SHA1
1ae691c76fd89c93aae8d7cac235ef82f2def01d

SHA256
f198314ee09f7adc845d9fe2f67e9c06c63430c4b3ee0946d1e5b2a88d8bb997

SHA512
47fdadefaf686888a3ce69b646929229fb24bd9bb6082b031c5d54e2516eec1244c9c159d986a7456f6fdd0dbca143a55591ee37e8fbc65e2b37c3249e5a73b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7a58347a5ad57534462e67fb74e6bf9

SHA1
e05d91d3a7cdc3cacd507d80c070df606e2fb935

SHA256
0b896a922152bdb45c35f8532a83181f3ea8b2427aac6dfd6d826fad58ef0644

SHA512
22e72472cb2dfe03561790d0363d26562d60e12452a49bb1ebf01a67c8d19484b7e0d2a2dda8b1c2b2100eab5dd6921a40f480db26d498c446a0e1ebe6308d09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25de03b0c42f7e43e65c1c115fab5ac

SHA1
e1f79b5a2deb52984d7074aa607cd233e7cb463d

SHA256
93ca31c68ff543efcb81c4903db76ba8ec5a9e9e05e2a95a566d5ed106081a49

SHA512
4392d4613d5f62b0050d622515a0824cb80fba7f7f353427460166f2b0d9bffd4f4276e321b45dc1a347d961423fd55d57eedf01bb4dce809bd0e7a680b9113d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5648caa32894571a73bdc145fc4ed89

SHA1
1e7b7dda3f64b42ab008ad3ecd3222bf73f4fed6

SHA256
664e17349c57fbd2536e9510ca4cf110a0f9108a4fd0d77a8678d863ed9fdad0

SHA512
b191ef650878dde62b1103fc4bcedb9f1607fa4b82937461b8067fe73f264cdb252dd05fc3d9732ce48eb51b3bcc601450f5e634e8792af723aa97bd4238a552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00cc6ee2cd635330e6f44e726686912e

SHA1
330734081c2e42eadaf6e9068d9a874eb8655df5

SHA256
3378fdc462154742b11c06107b5f03756cc8598654a78e08f9952c97fdad9b33

SHA512
2f2d656bd8324d42b6e4823bc9f284c90d86b17c10ada3ba7c214bdf5b5c9f555b70e35b097efb865ef67759c7fc2cd14ad0fda4be702fa24894a868461a3773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ec0011c8be2e84ef281542ef96e6cb

SHA1
4c8bc57c73da635a21661ee9cfcbb04c3776c5bf

SHA256
57ad9882519c3c541cd6f5e8611e9c26b35a1f1d275114b17838504bd2e7fbe2

SHA512
ea7735b8bdc1dbb81145af9fd57bac99e1bec314529703aa54840f83b90aa0935687f5b1786b85d1b3b1561eb910415df420f745cfa0b829cd6af3d7e779187b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3a9b0d7c15ac77d368b4afaf7f82e9d

SHA1
ac9e7ed3abcb46534265cba0ad919a9686c73429

SHA256
4d36187c030b2f79c53d206f6b458d4925d78232443113758c3f558539d58505

SHA512
3f91c9c827f599802b14032804647b0ebc4f4f259bb6b13a830a5b9b34a16e92f206599064c4e0fe3131acde7325e6ecd37940697140588c0f20abf77991d99d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7a777477d8ab91e714f5a4f3d0b18f5

SHA1
2f1696ccc728184950c130e6dbaddcf8bd0b45db

SHA256
63559abe8245a1b27026c4f8380a8a34e608035cd1501f21712138db3f2aa57b

SHA512
bbd35ebe73b200bdd7f556f99d75380ef8383852d0c0f9dd0774ac23796f0ea29d6437f9d69b193166e53dc9016cc398af6e3b7a85689b4a78c1af2fccfd491c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
072a87642298493c6505a2db12962b8a

SHA1
3e5b786eb97cef38424566ec31dad7ef74809e87

SHA256
2d549927f429cd66277c2b93c0ad5c7be230419fd7527d53857426bf2f1b5111

SHA512
1382e2c9903a77872587d2fea55f9d9e2d84910dba5be62c29346e20bffdfa096c2cb6e489eca5d8ac1ea758052c59cdd141cb262fd8e321833df9b28aa531bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4def7bf3b9f679dd22e18cd2e47819e

SHA1
3bdcf8af2604e2344e6c985982f674b513c39a16

SHA256
695fbd8aaba7e5875ad7630251910d008cc74d62523cdc450eab33cffa85cf2f

SHA512
87089d83fb2833d7f7fd780006f4bcac8318392c1bf313dbf13ea27aee4a89b459c75e0224a88306b86a01dff6adba9fd3d67d1123c58fe521acd8a6c9bfde56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc13f5c95866746ffd0b3b8e806fdf6f

SHA1
c5b87b6ea65442e83e8e1a8553a2745c6a7d2105

SHA256
4b6def2ef74670a42e11b563e00a5bfcec09a7e99d3bb3d65114c884b40a22a1

SHA512
68d74685c6b3d00c9ca23f75d86475b8ed5541b6186a1da0279a794a878ea3e5828c8b64d114ed75b9acf83f23c96eee2d9b8f372e39e96f803ce7f9d95d29e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ead32963d08c2b9bc88ff1f2cdd3140

SHA1
11a18a9e750ace1deaa4015d4dc8c3662ca21259

SHA256
2f30db26761eb0ae343267d57eef2761ba418638524a29e960b0f2558c5cb832

SHA512
2a4a4c2180c4922d5845d906bff828869708bf29b9bb761787f77bbdb4e51ae0968426cc304009cde482d3d917617c482e291cc33be277dee87a1a2d8fb14750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cba8c31ba4be368e1ba04e13b0642036

SHA1
ef3b61d168303b60aea314e6c5e874425efd9375

SHA256
05c9d9e195dc32223ee83159e51343acf30b4612e93c8d86a3411d8c56491bd0

SHA512
8fce8c27181b590b67781303fb6dadb0d6264a8ddf9b9f5da8c29bc55dcd2509701a452b8a83993b8ae9af0f13ad4c5bdd139ea94475d200f6042b76032495e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
410ddb36a76d15f428275594a4d69a3d

SHA1
888c5f606673c9528e4f7f6254aeac05e77fe8df

SHA256
95fe1b49d71528dd86e7968fd47a32a2bc564d12931b79f1e547a20df536f2a1

SHA512
434139cc84956996d69d5e6b06d5ce99a6390a3ec8804f3ca68e0622cd164c1292a78c820bba64eb2f5062edfd18256e75921334ca0d90b55e7d64cced6c905b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
1KB

MD5
ad58da7baf38dc89fe2b441e7bfa5431

SHA1
a097f1fb1396c94cf3f96bb3300d8f766b842261

SHA256
4f0e8667f19430cbb2d27ea64e8934ffaa47692fb60666787197051eaa859e6f

SHA512
c890605e4df290336fc228eb7eba8da4f47aa64fc7eab3775cfafb18c5c661242758ba8f00863e36e61bcf40330d778add80b7da0a3a41ea7bd565622b63c426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\favicon[1].png

Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBAF6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit