Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:26
Static task
static1
Behavioral task
behavioral1
Sample
murofet_0.0.0.3.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
murofet_0.0.0.3.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
murofet_0.0.0.3.vir.exe
-
Size
148KB
-
MD5
7e186ad404f718e02585d82c0436e200
-
SHA1
280c03893a96686762c5616dc7ff94a944b00bdd
-
SHA256
9b18a3d6d3381cce0f58f433e0bc7bddcf12b7ffde0094ce8842239ad72da570
-
SHA512
eaaecc8859cd0640f2e7619309496d7d61410f32f957f1a284cea778f7296192262f2874615eb4c68aff8d2b15d21e623e0bac598e41cab58c9fe18621240e7d
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wauzu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{18595552-64F4-7A19-E3AA-62EF6119250D} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynqia\\wauzu.exe" wauzu.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run wauzu.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\64591E1C-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
murofet_0.0.0.3.vir.exewauzu.exepid process 1500 murofet_0.0.0.3.vir.exe 1500 murofet_0.0.0.3.vir.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe 364 wauzu.exe -
Loads dropped DLL 1 IoCs
Processes:
murofet_0.0.0.3.vir.exepid process 1500 murofet_0.0.0.3.vir.exe -
Suspicious use of WriteProcessMemory 103 IoCs
Processes:
murofet_0.0.0.3.vir.exewauzu.exedescription pid process target process PID 1500 wrote to memory of 364 1500 murofet_0.0.0.3.vir.exe wauzu.exe PID 1500 wrote to memory of 364 1500 murofet_0.0.0.3.vir.exe wauzu.exe PID 1500 wrote to memory of 364 1500 murofet_0.0.0.3.vir.exe wauzu.exe PID 1500 wrote to memory of 364 1500 murofet_0.0.0.3.vir.exe wauzu.exe PID 364 wrote to memory of 1160 364 wauzu.exe taskhost.exe PID 364 wrote to memory of 1160 364 wauzu.exe taskhost.exe PID 364 wrote to memory of 1160 364 wauzu.exe taskhost.exe PID 364 wrote to memory of 1160 364 wauzu.exe taskhost.exe PID 364 wrote to memory of 1160 364 wauzu.exe taskhost.exe PID 364 wrote to memory of 1240 364 wauzu.exe Dwm.exe PID 364 wrote to memory of 1240 364 wauzu.exe Dwm.exe PID 364 wrote to memory of 1240 364 wauzu.exe Dwm.exe PID 364 wrote to memory of 1240 364 wauzu.exe Dwm.exe PID 364 wrote to memory of 1240 364 wauzu.exe Dwm.exe PID 364 wrote to memory of 1316 364 wauzu.exe Explorer.EXE PID 364 wrote to memory of 1316 364 wauzu.exe Explorer.EXE PID 364 wrote to memory of 1316 364 wauzu.exe Explorer.EXE PID 364 wrote to memory of 1316 364 wauzu.exe Explorer.EXE PID 364 wrote to memory of 1316 364 wauzu.exe Explorer.EXE PID 364 wrote to memory of 1500 364 wauzu.exe murofet_0.0.0.3.vir.exe PID 364 wrote to memory of 1500 364 wauzu.exe murofet_0.0.0.3.vir.exe PID 364 wrote to memory of 1500 364 wauzu.exe murofet_0.0.0.3.vir.exe PID 364 wrote to memory of 1500 364 wauzu.exe murofet_0.0.0.3.vir.exe PID 364 wrote to memory of 1500 364 wauzu.exe murofet_0.0.0.3.vir.exe PID 364 wrote to memory of 740 364 wauzu.exe WinMail.exe PID 364 wrote to memory of 740 364 wauzu.exe WinMail.exe PID 364 wrote to memory of 740 364 wauzu.exe WinMail.exe PID 364 wrote to memory of 740 364 wauzu.exe WinMail.exe PID 364 wrote to memory of 740 364 wauzu.exe WinMail.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 1500 wrote to memory of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe PID 364 wrote to memory of 1464 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1464 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1464 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1464 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1464 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1596 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1596 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1596 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1596 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1596 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1960 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1960 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1960 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1960 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1960 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1012 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1012 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1012 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1012 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1012 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1696 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1696 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1696 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1696 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1696 364 wauzu.exe DllHost.exe PID 364 wrote to memory of 1612 364 wauzu.exe DllHost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
murofet_0.0.0.3.vir.exedescription pid process target process PID 1500 set thread context of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe -
Processes:
murofet_0.0.0.3.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy murofet_0.0.0.3.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" murofet_0.0.0.3.vir.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
murofet_0.0.0.3.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1500 murofet_0.0.0.3.vir.exe Token: SeSecurityPrivilege 1500 murofet_0.0.0.3.vir.exe Token: SeSecurityPrivilege 1500 murofet_0.0.0.3.vir.exe Token: SeManageVolumePrivilege 740 WinMail.exe Token: SeSecurityPrivilege 1864 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
wauzu.exepid process 364 wauzu.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 740 WinMail.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1864 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.3.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe"C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51ae76d1.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Temp\tmp51ae76d1.bat
-
C:\Users\Admin\AppData\Roaming\Goamih\qopou.cyu
-
C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe
-
C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe
-
\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe
-
memory/364-1-0x0000000000000000-mapping.dmp
-
memory/740-15-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/740-19-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/740-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/740-9-0x00000000038C0000-0x0000000003AC0000-memory.dmpFilesize
2.0MB
-
memory/740-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/740-17-0x0000000003DC0000-0x0000000003DC2000-memory.dmpFilesize
8KB
-
memory/740-18-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/740-10-0x00000000039C0000-0x0000000003AC0000-memory.dmpFilesize
1024KB
-
memory/740-20-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/740-21-0x0000000003EA0000-0x0000000003EA2000-memory.dmpFilesize
8KB
-
memory/740-22-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/740-4-0x00000000038C0000-0x00000000039C0000-memory.dmpFilesize
1024KB
-
memory/740-8-0x00000000038C0000-0x00000000039C0000-memory.dmpFilesize
1024KB
-
memory/740-6-0x00000000038C0000-0x0000000003AC0000-memory.dmpFilesize
2.0MB
-
memory/1864-25-0x000000000005C620-mapping.dmp
-
memory/1864-23-0x0000000000050000-0x000000000007D000-memory.dmpFilesize
180KB