ea5f48d67be02c10be233f036a23126577e2f394335a78e3d44c8bcb3e754caa

General

Target

murofet_0.0.0.6.vir.exe
Size

151KB
MD5

fef45e9f4e89eee7bb69e10057fcc60f
SHA1

b28423b88beaace458f4fe3f0d2cb22c9352fa9d
SHA256

ea5f48d67be02c10be233f036a23126577e2f394335a78e3d44c8bcb3e754caa
SHA512

4c383a254741fa7c33669ef9edc1fc10dfe2949f76bebd0f2e5674ec8d6b537c9605b5b8986a8d5f5e9f230dccfab36aa688431eac1acafb550c7ef76a83fc36

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

murofet_0.0.0.6.vir.exexadi.exe

pid	process
888	murofet_0.0.0.6.vir.exe
888	murofet_0.0.0.6.vir.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe
1048	xadi.exe

Executes dropped EXE 1 IoCs

Processes:

xadi.exe

pid process

1048 xadi.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1448 WinMail.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

murofet_0.0.0.6.vir.exe

description pid process target process

PID 888 set thread context of 1240 888 murofet_0.0.0.6.vir.exe cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1240 cmd.exe

pid	process
1048	xadi.exe

pid	process
1448	WinMail.exe

description	pid	process	target process
PID 888 set thread context of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe

pid	process
1240	cmd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

murofet_0.0.0.6.vir.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	888	murofet_0.0.0.6.vir.exe
Token: SeSecurityPrivilege	888	murofet_0.0.0.6.vir.exe
Token: SeSecurityPrivilege	888	murofet_0.0.0.6.vir.exe
Token: SeManageVolumePrivilege	1448	WinMail.exe
Token: SeSecurityPrivilege	1240	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

murofet_0.0.0.6.vir.exe

pid process

888 murofet_0.0.0.6.vir.exe

Suspicious use of WriteProcessMemory 108 IoCs

Processes:

murofet_0.0.0.6.vir.exexadi.exe

description	pid	process	target process
PID 888 wrote to memory of 1048	888	murofet_0.0.0.6.vir.exe	xadi.exe
PID 888 wrote to memory of 1048	888	murofet_0.0.0.6.vir.exe	xadi.exe
PID 888 wrote to memory of 1048	888	murofet_0.0.0.6.vir.exe	xadi.exe
PID 888 wrote to memory of 1048	888	murofet_0.0.0.6.vir.exe	xadi.exe
PID 1048 wrote to memory of 1152	1048	xadi.exe	taskhost.exe
PID 1048 wrote to memory of 1152	1048	xadi.exe	taskhost.exe
PID 1048 wrote to memory of 1152	1048	xadi.exe	taskhost.exe
PID 1048 wrote to memory of 1152	1048	xadi.exe	taskhost.exe
PID 1048 wrote to memory of 1152	1048	xadi.exe	taskhost.exe
PID 1048 wrote to memory of 1260	1048	xadi.exe	Dwm.exe
PID 1048 wrote to memory of 1260	1048	xadi.exe	Dwm.exe
PID 1048 wrote to memory of 1260	1048	xadi.exe	Dwm.exe
PID 1048 wrote to memory of 1260	1048	xadi.exe	Dwm.exe
PID 1048 wrote to memory of 1260	1048	xadi.exe	Dwm.exe
PID 1048 wrote to memory of 1296	1048	xadi.exe	Explorer.EXE
PID 1048 wrote to memory of 1296	1048	xadi.exe	Explorer.EXE
PID 1048 wrote to memory of 1296	1048	xadi.exe	Explorer.EXE
PID 1048 wrote to memory of 1296	1048	xadi.exe	Explorer.EXE
PID 1048 wrote to memory of 1296	1048	xadi.exe	Explorer.EXE
PID 1048 wrote to memory of 888	1048	xadi.exe	murofet_0.0.0.6.vir.exe
PID 1048 wrote to memory of 888	1048	xadi.exe	murofet_0.0.0.6.vir.exe
PID 1048 wrote to memory of 888	1048	xadi.exe	murofet_0.0.0.6.vir.exe
PID 1048 wrote to memory of 888	1048	xadi.exe	murofet_0.0.0.6.vir.exe
PID 1048 wrote to memory of 888	1048	xadi.exe	murofet_0.0.0.6.vir.exe
PID 1048 wrote to memory of 1448	1048	xadi.exe	WinMail.exe
PID 1048 wrote to memory of 1448	1048	xadi.exe	WinMail.exe
PID 1048 wrote to memory of 1448	1048	xadi.exe	WinMail.exe
PID 1048 wrote to memory of 1448	1048	xadi.exe	WinMail.exe
PID 1048 wrote to memory of 1448	1048	xadi.exe	WinMail.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 888 wrote to memory of 1240	888	murofet_0.0.0.6.vir.exe	cmd.exe
PID 1048 wrote to memory of 1440	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1440	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1440	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1440	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1440	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1620	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1620	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1620	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1620	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1620	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1936	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1936	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1936	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1936	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1936	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1484	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1484	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1484	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1484	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1484	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 288	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 288	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 288	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 288	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 288	1048	xadi.exe	DllHost.exe
PID 1048 wrote to memory of 1524	1048	xadi.exe	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

murofet_0.0.0.6.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	murofet_0.0.0.6.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	murofet_0.0.0.6.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xadi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	xadi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9557F7E9-DCE5-3DD3-738B-6CFE83BDD5AD} = "C:\\Users\\Admin\\AppData\\Roaming\\Guavof\\xadi.exe"	xadi.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\76000CE7-00000001.eml:OECustomProperty	WinMail.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.6.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
PID:888

C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe
"C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp18c2018b.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
PID:1448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1440

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18c2018b.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Guavof\xadi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Gyafy\gona.naq

Download Submit
\Users\Admin\AppData\Roaming\Guavof\xadi.exe

Download Submit
memory/1048-1-0x0000000000000000-mapping.dmp

Download
memory/1240-25-0x0000000000071F4A-mapping.dmp

Download
memory/1240-23-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/1448-15-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1448-21-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1448-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1448-17-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1448-18-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1448-19-0x0000000003E50000-0x0000000003E52000-memory.dmp

Filesize
8KB

Download
memory/1448-20-0x0000000003EE0000-0x0000000003EE2000-memory.dmp

Filesize
8KB

Download
memory/1448-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1448-22-0x0000000003F40000-0x0000000003F42000-memory.dmp

Filesize
8KB

Download
memory/1448-10-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/1448-9-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1448-8-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1448-6-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1448-4-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads