Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 16:33
Static task
static1
Behavioral task
behavioral1
Sample
murofet_0.0.0.6.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
murofet_0.0.0.6.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
murofet_0.0.0.6.vir.exe
-
Size
151KB
-
MD5
fef45e9f4e89eee7bb69e10057fcc60f
-
SHA1
b28423b88beaace458f4fe3f0d2cb22c9352fa9d
-
SHA256
ea5f48d67be02c10be233f036a23126577e2f394335a78e3d44c8bcb3e754caa
-
SHA512
4c383a254741fa7c33669ef9edc1fc10dfe2949f76bebd0f2e5674ec8d6b537c9605b5b8986a8d5f5e9f230dccfab36aa688431eac1acafb550c7ef76a83fc36
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
murofet_0.0.0.6.vir.exexadi.exepid process 888 murofet_0.0.0.6.vir.exe 888 murofet_0.0.0.6.vir.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe 1048 xadi.exe -
Executes dropped EXE 1 IoCs
Processes:
xadi.exepid process 1048 xadi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1448 WinMail.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
murofet_0.0.0.6.vir.exedescription pid process target process PID 888 set thread context of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1240 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
murofet_0.0.0.6.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 888 murofet_0.0.0.6.vir.exe Token: SeSecurityPrivilege 888 murofet_0.0.0.6.vir.exe Token: SeSecurityPrivilege 888 murofet_0.0.0.6.vir.exe Token: SeManageVolumePrivilege 1448 WinMail.exe Token: SeSecurityPrivilege 1240 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
murofet_0.0.0.6.vir.exepid process 888 murofet_0.0.0.6.vir.exe -
Suspicious use of WriteProcessMemory 108 IoCs
Processes:
murofet_0.0.0.6.vir.exexadi.exedescription pid process target process PID 888 wrote to memory of 1048 888 murofet_0.0.0.6.vir.exe xadi.exe PID 888 wrote to memory of 1048 888 murofet_0.0.0.6.vir.exe xadi.exe PID 888 wrote to memory of 1048 888 murofet_0.0.0.6.vir.exe xadi.exe PID 888 wrote to memory of 1048 888 murofet_0.0.0.6.vir.exe xadi.exe PID 1048 wrote to memory of 1152 1048 xadi.exe taskhost.exe PID 1048 wrote to memory of 1152 1048 xadi.exe taskhost.exe PID 1048 wrote to memory of 1152 1048 xadi.exe taskhost.exe PID 1048 wrote to memory of 1152 1048 xadi.exe taskhost.exe PID 1048 wrote to memory of 1152 1048 xadi.exe taskhost.exe PID 1048 wrote to memory of 1260 1048 xadi.exe Dwm.exe PID 1048 wrote to memory of 1260 1048 xadi.exe Dwm.exe PID 1048 wrote to memory of 1260 1048 xadi.exe Dwm.exe PID 1048 wrote to memory of 1260 1048 xadi.exe Dwm.exe PID 1048 wrote to memory of 1260 1048 xadi.exe Dwm.exe PID 1048 wrote to memory of 1296 1048 xadi.exe Explorer.EXE PID 1048 wrote to memory of 1296 1048 xadi.exe Explorer.EXE PID 1048 wrote to memory of 1296 1048 xadi.exe Explorer.EXE PID 1048 wrote to memory of 1296 1048 xadi.exe Explorer.EXE PID 1048 wrote to memory of 1296 1048 xadi.exe Explorer.EXE PID 1048 wrote to memory of 888 1048 xadi.exe murofet_0.0.0.6.vir.exe PID 1048 wrote to memory of 888 1048 xadi.exe murofet_0.0.0.6.vir.exe PID 1048 wrote to memory of 888 1048 xadi.exe murofet_0.0.0.6.vir.exe PID 1048 wrote to memory of 888 1048 xadi.exe murofet_0.0.0.6.vir.exe PID 1048 wrote to memory of 888 1048 xadi.exe murofet_0.0.0.6.vir.exe PID 1048 wrote to memory of 1448 1048 xadi.exe WinMail.exe PID 1048 wrote to memory of 1448 1048 xadi.exe WinMail.exe PID 1048 wrote to memory of 1448 1048 xadi.exe WinMail.exe PID 1048 wrote to memory of 1448 1048 xadi.exe WinMail.exe PID 1048 wrote to memory of 1448 1048 xadi.exe WinMail.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 888 wrote to memory of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe PID 1048 wrote to memory of 1440 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1440 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1440 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1440 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1440 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1620 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1620 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1620 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1620 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1620 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1936 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1936 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1936 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1936 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1936 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1484 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1484 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1484 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1484 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1484 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 288 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 288 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 288 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 288 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 288 1048 xadi.exe DllHost.exe PID 1048 wrote to memory of 1524 1048 xadi.exe DllHost.exe -
Processes:
murofet_0.0.0.6.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy murofet_0.0.0.6.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" murofet_0.0.0.6.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xadi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run xadi.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9557F7E9-DCE5-3DD3-738B-6CFE83BDD5AD} = "C:\\Users\\Admin\\AppData\\Roaming\\Guavof\\xadi.exe" xadi.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\76000CE7-00000001.eml:OECustomProperty WinMail.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.6.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe"C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp18c2018b.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Temp\tmp18c2018b.bat
-
C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe
-
C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe
-
C:\Users\Admin\AppData\Roaming\Gyafy\gona.naq
-
\Users\Admin\AppData\Roaming\Guavof\xadi.exe
-
memory/1048-1-0x0000000000000000-mapping.dmp
-
memory/1240-25-0x0000000000071F4A-mapping.dmp
-
memory/1240-23-0x0000000000050000-0x000000000007C000-memory.dmpFilesize
176KB
-
memory/1448-15-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1448-21-0x0000000003F60000-0x0000000003F62000-memory.dmpFilesize
8KB
-
memory/1448-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1448-17-0x0000000003F60000-0x0000000003F62000-memory.dmpFilesize
8KB
-
memory/1448-18-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1448-19-0x0000000003E50000-0x0000000003E52000-memory.dmpFilesize
8KB
-
memory/1448-20-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/1448-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1448-22-0x0000000003F40000-0x0000000003F42000-memory.dmpFilesize
8KB
-
memory/1448-10-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1448-9-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1448-8-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1448-6-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1448-4-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB