52576fe06db6c4cf5e307a8c86fc53d5f4ecfd5879fb7d7835c99843f2a069c6

General

Target

murofet_0.0.0.4.vir.exe
Size

153KB
MD5

581ea50d38f87e99eb85ca9d0e8b01bd
SHA1

3365f6705e7e05b899584ebc74f0dd6839ab9135
SHA256

52576fe06db6c4cf5e307a8c86fc53d5f4ecfd5879fb7d7835c99843f2a069c6
SHA512

edbcb6616e99b60a331f05ea3e82a677b8d9059f03fb9ad176cd99c0c57b7165028499150e8ecd4839c36a72df149a934d988c2c5ae877f680d6c6338a83f94d

Score

8^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

efse.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	efse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D60EF667-B9AD-6695-22F5-8132385FE976} = "C:\\Users\\Admin\\AppData\\Roaming\\Avuzuf\\efse.exe"	efse.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4FFD700D-00000001.eml:OECustomProperty	WinMail.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

murofet_0.0.0.4.vir.exe

description pid process target process

PID 1388 set thread context of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe

description	pid	process	target process
PID 1388 set thread context of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

murofet_0.0.0.4.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	murofet_0.0.0.4.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	murofet_0.0.0.4.vir.exe

Loads dropped DLL 1 IoCs

Processes:

murofet_0.0.0.4.vir.exe

pid process

1388 murofet_0.0.0.4.vir.exe

Suspicious use of WriteProcessMemory 108 IoCs

Processes:

murofet_0.0.0.4.vir.exeefse.exe

description	pid	process	target process
PID 1388 wrote to memory of 1444	1388	murofet_0.0.0.4.vir.exe	efse.exe
PID 1388 wrote to memory of 1444	1388	murofet_0.0.0.4.vir.exe	efse.exe
PID 1388 wrote to memory of 1444	1388	murofet_0.0.0.4.vir.exe	efse.exe
PID 1388 wrote to memory of 1444	1388	murofet_0.0.0.4.vir.exe	efse.exe
PID 1444 wrote to memory of 1112	1444	efse.exe	taskhost.exe
PID 1444 wrote to memory of 1112	1444	efse.exe	taskhost.exe
PID 1444 wrote to memory of 1112	1444	efse.exe	taskhost.exe
PID 1444 wrote to memory of 1112	1444	efse.exe	taskhost.exe
PID 1444 wrote to memory of 1112	1444	efse.exe	taskhost.exe
PID 1444 wrote to memory of 1172	1444	efse.exe	Dwm.exe
PID 1444 wrote to memory of 1172	1444	efse.exe	Dwm.exe
PID 1444 wrote to memory of 1172	1444	efse.exe	Dwm.exe
PID 1444 wrote to memory of 1172	1444	efse.exe	Dwm.exe
PID 1444 wrote to memory of 1172	1444	efse.exe	Dwm.exe
PID 1444 wrote to memory of 1240	1444	efse.exe	Explorer.EXE
PID 1444 wrote to memory of 1240	1444	efse.exe	Explorer.EXE
PID 1444 wrote to memory of 1240	1444	efse.exe	Explorer.EXE
PID 1444 wrote to memory of 1240	1444	efse.exe	Explorer.EXE
PID 1444 wrote to memory of 1240	1444	efse.exe	Explorer.EXE
PID 1444 wrote to memory of 1388	1444	efse.exe	murofet_0.0.0.4.vir.exe
PID 1444 wrote to memory of 1388	1444	efse.exe	murofet_0.0.0.4.vir.exe
PID 1444 wrote to memory of 1388	1444	efse.exe	murofet_0.0.0.4.vir.exe
PID 1444 wrote to memory of 1388	1444	efse.exe	murofet_0.0.0.4.vir.exe
PID 1444 wrote to memory of 1388	1444	efse.exe	murofet_0.0.0.4.vir.exe
PID 1444 wrote to memory of 1604	1444	efse.exe	WinMail.exe
PID 1444 wrote to memory of 1604	1444	efse.exe	WinMail.exe
PID 1444 wrote to memory of 1604	1444	efse.exe	WinMail.exe
PID 1444 wrote to memory of 1604	1444	efse.exe	WinMail.exe
PID 1444 wrote to memory of 1604	1444	efse.exe	WinMail.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1388 wrote to memory of 1836	1388	murofet_0.0.0.4.vir.exe	cmd.exe
PID 1444 wrote to memory of 1608	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1608	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1608	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1608	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1608	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 468	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 468	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 468	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 468	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 468	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 2008	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 2008	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 2008	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 2008	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 2008	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1452	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1452	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1452	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1452	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1452	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1056	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1056	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1056	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1056	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1056	1444	efse.exe	DllHost.exe
PID 1444 wrote to memory of 1784	1444	efse.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

efse.exe

pid process

1444 efse.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1604 WinMail.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1836 cmd.exe

pid	process
1444	efse.exe

pid	process
1604	WinMail.exe

pid	process
1836	cmd.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

murofet_0.0.0.4.vir.exeefse.exe

pid	process
1388	murofet_0.0.0.4.vir.exe
1388	murofet_0.0.0.4.vir.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe
1444	efse.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

murofet_0.0.0.4.vir.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1388	murofet_0.0.0.4.vir.exe
Token: SeSecurityPrivilege	1388	murofet_0.0.0.4.vir.exe
Token: SeSecurityPrivilege	1388	murofet_0.0.0.4.vir.exe
Token: SeManageVolumePrivilege	1604	WinMail.exe
Token: SeSecurityPrivilege	1836	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.4.vir.exe
"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.4.vir.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe
"C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7c97e8a7.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7c97e8a7.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Rykowe\giyk.ykl

Download Submit
\Users\Admin\AppData\Roaming\Avuzuf\efse.exe

Download Submit
memory/1444-1-0x0000000000000000-mapping.dmp

Download
memory/1604-17-0x0000000003B40000-0x0000000003B42000-memory.dmp

Filesize
8KB

Download
memory/1604-21-0x0000000003E10000-0x0000000003E12000-memory.dmp

Filesize
8KB

Download
memory/1604-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1604-15-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1604-16-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1604-9-0x00000000038A0000-0x0000000003AA0000-memory.dmp

Filesize
2.0MB

Download
memory/1604-18-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1604-19-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1604-20-0x0000000003F70000-0x0000000003F72000-memory.dmp

Filesize
8KB

Download
memory/1604-10-0x00000000039A0000-0x0000000003AA0000-memory.dmp

Filesize
1024KB

Download
memory/1604-22-0x0000000003E20000-0x0000000003E22000-memory.dmp

Filesize
8KB

Download
memory/1604-23-0x0000000003E10000-0x0000000003E12000-memory.dmp

Filesize
8KB

Download
memory/1604-24-0x0000000003E30000-0x0000000003E32000-memory.dmp

Filesize
8KB

Download
memory/1604-4-0x00000000038A0000-0x00000000039A0000-memory.dmp

Filesize
1024KB

Download
memory/1604-8-0x00000000038A0000-0x00000000039A0000-memory.dmp

Filesize
1024KB

Download
memory/1604-6-0x00000000038A0000-0x0000000003AA0000-memory.dmp

Filesize
2.0MB

Download
memory/1836-27-0x000000000006BA88-mapping.dmp

Download
memory/1836-25-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads