Spelevo Exploit Kit delivers malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-12-03-Spelevo-ek-pcap.zip

ASSOCIATED DOMAINS:

188.127.249.55 – synth.website – REDIRECT TO SPELEVO EXPLOIT KIT
95.211.5.245 – azalea.bettinaasturias.info GET /2enc3vtauocj0q/pascual-orel-ghanaian – SPELEVO EXPLOIT KIT
95.211.5.245 – azalea.bettinaasturias.info POST /2enc3vtauocj0q/?013372618f8c2c – SPELEVO EXPLOIT KIT
DNS Query Only – hoyteve.xyz – UNKNOWN C2

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 1] – Iexplorer.exe parent process for dropped malware
Image C:\Users\Thomas\AppData\Local\Temp\1435958.exe
FileVersion 2003, 10, 1, 1
Description nProtect KeyCrypt Program Database DLL
Product nProtect KeyCrypt Program Database DLL
Company INCA Internet Co., Ltd.
CommandLine “C:\Users\Thomas\AppData\Local\Temp\1435958.exe”
CurrentDirectory C:\Users\Thomas\Desktop\
User Thomas-PC\Thomas
Hashes MD5=7065E7A0951909B08212DF47EF673E18,SHA256=8167DC70E875AF74595403243E1F0F38233BAF8F361697A48E371D300C0CBE76
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:1916 CREDAT:144385 /prefetch:2

IMAGES AND DETAILS:


Shown above: Network traffic associated with the Spelevo Exploit Kit


Shown above: Post infection DNS queries associated with dropped malware

MALICIOUS PAYLOAD ASSOCIATED WITH SPELEVO EK:

1435958.exe – ORIGINAL PAYLOAD
SHA-256: 8167dc70e875af74595403243e1f0f38233baf8f361697a48e371d300c0cbe76
VirusTotal Link