9b18a3d6d3381cce0f58f433e0bc7bddcf12b7ffde0094ce8842239ad72da570

General

Target

murofet_0.0.0.3.vir.exe
Size

148KB
MD5

7e186ad404f718e02585d82c0436e200
SHA1

280c03893a96686762c5616dc7ff94a944b00bdd
SHA256

9b18a3d6d3381cce0f58f433e0bc7bddcf12b7ffde0094ce8842239ad72da570
SHA512

eaaecc8859cd0640f2e7619309496d7d61410f32f957f1a284cea778f7296192262f2874615eb4c68aff8d2b15d21e623e0bac598e41cab58c9fe18621240e7d

Score

8^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wauzu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{18595552-64F4-7A19-E3AA-62EF6119250D} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynqia\\wauzu.exe"	wauzu.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	wauzu.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\64591E1C-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

murofet_0.0.0.3.vir.exewauzu.exe

pid	process
1500	murofet_0.0.0.3.vir.exe
1500	murofet_0.0.0.3.vir.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe
364	wauzu.exe

Loads dropped DLL 1 IoCs

Processes:

murofet_0.0.0.3.vir.exe

pid process

1500 murofet_0.0.0.3.vir.exe

Suspicious use of WriteProcessMemory 103 IoCs

Processes:

murofet_0.0.0.3.vir.exewauzu.exe

description	pid	process	target process
PID 1500 wrote to memory of 364	1500	murofet_0.0.0.3.vir.exe	wauzu.exe
PID 1500 wrote to memory of 364	1500	murofet_0.0.0.3.vir.exe	wauzu.exe
PID 1500 wrote to memory of 364	1500	murofet_0.0.0.3.vir.exe	wauzu.exe
PID 1500 wrote to memory of 364	1500	murofet_0.0.0.3.vir.exe	wauzu.exe
PID 364 wrote to memory of 1160	364	wauzu.exe	taskhost.exe
PID 364 wrote to memory of 1160	364	wauzu.exe	taskhost.exe
PID 364 wrote to memory of 1160	364	wauzu.exe	taskhost.exe
PID 364 wrote to memory of 1160	364	wauzu.exe	taskhost.exe
PID 364 wrote to memory of 1160	364	wauzu.exe	taskhost.exe
PID 364 wrote to memory of 1240	364	wauzu.exe	Dwm.exe
PID 364 wrote to memory of 1240	364	wauzu.exe	Dwm.exe
PID 364 wrote to memory of 1240	364	wauzu.exe	Dwm.exe
PID 364 wrote to memory of 1240	364	wauzu.exe	Dwm.exe
PID 364 wrote to memory of 1240	364	wauzu.exe	Dwm.exe
PID 364 wrote to memory of 1316	364	wauzu.exe	Explorer.EXE
PID 364 wrote to memory of 1316	364	wauzu.exe	Explorer.EXE
PID 364 wrote to memory of 1316	364	wauzu.exe	Explorer.EXE
PID 364 wrote to memory of 1316	364	wauzu.exe	Explorer.EXE
PID 364 wrote to memory of 1316	364	wauzu.exe	Explorer.EXE
PID 364 wrote to memory of 1500	364	wauzu.exe	murofet_0.0.0.3.vir.exe
PID 364 wrote to memory of 1500	364	wauzu.exe	murofet_0.0.0.3.vir.exe
PID 364 wrote to memory of 1500	364	wauzu.exe	murofet_0.0.0.3.vir.exe
PID 364 wrote to memory of 1500	364	wauzu.exe	murofet_0.0.0.3.vir.exe
PID 364 wrote to memory of 1500	364	wauzu.exe	murofet_0.0.0.3.vir.exe
PID 364 wrote to memory of 740	364	wauzu.exe	WinMail.exe
PID 364 wrote to memory of 740	364	wauzu.exe	WinMail.exe
PID 364 wrote to memory of 740	364	wauzu.exe	WinMail.exe
PID 364 wrote to memory of 740	364	wauzu.exe	WinMail.exe
PID 364 wrote to memory of 740	364	wauzu.exe	WinMail.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 1500 wrote to memory of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe
PID 364 wrote to memory of 1464	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1464	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1464	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1464	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1464	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1596	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1596	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1596	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1596	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1596	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1960	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1960	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1960	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1960	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1960	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1012	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1012	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1012	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1012	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1012	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1696	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1696	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1696	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1696	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1696	364	wauzu.exe	DllHost.exe
PID 364 wrote to memory of 1612	364	wauzu.exe	DllHost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

murofet_0.0.0.3.vir.exe

description pid process target process

PID 1500 set thread context of 1864 1500 murofet_0.0.0.3.vir.exe cmd.exe

description	pid	process	target process
PID 1500 set thread context of 1864	1500	murofet_0.0.0.3.vir.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

murofet_0.0.0.3.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	murofet_0.0.0.3.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	murofet_0.0.0.3.vir.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

murofet_0.0.0.3.vir.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1500	murofet_0.0.0.3.vir.exe
Token: SeSecurityPrivilege	1500	murofet_0.0.0.3.vir.exe
Token: SeSecurityPrivilege	1500	murofet_0.0.0.3.vir.exe
Token: SeManageVolumePrivilege	740	WinMail.exe
Token: SeSecurityPrivilege	1864	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

wauzu.exe

pid process

364 wauzu.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

740 WinMail.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1864 cmd.exe

pid	process
364	wauzu.exe

pid	process
740	WinMail.exe

pid	process
1864	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.3.vir.exe
"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.3.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe
"C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51ae76d1.bat"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
PID:1864

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1900

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51ae76d1.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Goamih\qopou.cyu

Download Submit
C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe

Download Submit
\Users\Admin\AppData\Roaming\Ynqia\wauzu.exe

Download Submit
memory/364-1-0x0000000000000000-mapping.dmp

Download
memory/740-15-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/740-19-0x0000000003C40000-0x0000000003C42000-memory.dmp

Filesize
8KB

Download
memory/740-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/740-9-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/740-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/740-17-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

Filesize
8KB

Download
memory/740-18-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/740-10-0x00000000039C0000-0x0000000003AC0000-memory.dmp

Filesize
1024KB

Download
memory/740-20-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/740-21-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

Filesize
8KB

Download
memory/740-22-0x0000000003E80000-0x0000000003E82000-memory.dmp

Filesize
8KB

Download
memory/740-4-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/740-8-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/740-6-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1864-25-0x000000000005C620-mapping.dmp

Download
memory/1864-23-0x0000000000050000-0x000000000007D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads