Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:19
Static task
static1
Behavioral task
behavioral1
Sample
murofet_0.0.0.4.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
murofet_0.0.0.4.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
murofet_0.0.0.4.vir.exe
-
Size
153KB
-
MD5
581ea50d38f87e99eb85ca9d0e8b01bd
-
SHA1
3365f6705e7e05b899584ebc74f0dd6839ab9135
-
SHA256
52576fe06db6c4cf5e307a8c86fc53d5f4ecfd5879fb7d7835c99843f2a069c6
-
SHA512
edbcb6616e99b60a331f05ea3e82a677b8d9059f03fb9ad176cd99c0c57b7165028499150e8ecd4839c36a72df149a934d988c2c5ae877f680d6c6338a83f94d
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
efse.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run efse.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D60EF667-B9AD-6695-22F5-8132385FE976} = "C:\\Users\\Admin\\AppData\\Roaming\\Avuzuf\\efse.exe" efse.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4FFD700D-00000001.eml:OECustomProperty WinMail.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
murofet_0.0.0.4.vir.exedescription pid process target process PID 1388 set thread context of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe -
Processes:
murofet_0.0.0.4.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy murofet_0.0.0.4.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" murofet_0.0.0.4.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
murofet_0.0.0.4.vir.exepid process 1388 murofet_0.0.0.4.vir.exe -
Suspicious use of WriteProcessMemory 108 IoCs
Processes:
murofet_0.0.0.4.vir.exeefse.exedescription pid process target process PID 1388 wrote to memory of 1444 1388 murofet_0.0.0.4.vir.exe efse.exe PID 1388 wrote to memory of 1444 1388 murofet_0.0.0.4.vir.exe efse.exe PID 1388 wrote to memory of 1444 1388 murofet_0.0.0.4.vir.exe efse.exe PID 1388 wrote to memory of 1444 1388 murofet_0.0.0.4.vir.exe efse.exe PID 1444 wrote to memory of 1112 1444 efse.exe taskhost.exe PID 1444 wrote to memory of 1112 1444 efse.exe taskhost.exe PID 1444 wrote to memory of 1112 1444 efse.exe taskhost.exe PID 1444 wrote to memory of 1112 1444 efse.exe taskhost.exe PID 1444 wrote to memory of 1112 1444 efse.exe taskhost.exe PID 1444 wrote to memory of 1172 1444 efse.exe Dwm.exe PID 1444 wrote to memory of 1172 1444 efse.exe Dwm.exe PID 1444 wrote to memory of 1172 1444 efse.exe Dwm.exe PID 1444 wrote to memory of 1172 1444 efse.exe Dwm.exe PID 1444 wrote to memory of 1172 1444 efse.exe Dwm.exe PID 1444 wrote to memory of 1240 1444 efse.exe Explorer.EXE PID 1444 wrote to memory of 1240 1444 efse.exe Explorer.EXE PID 1444 wrote to memory of 1240 1444 efse.exe Explorer.EXE PID 1444 wrote to memory of 1240 1444 efse.exe Explorer.EXE PID 1444 wrote to memory of 1240 1444 efse.exe Explorer.EXE PID 1444 wrote to memory of 1388 1444 efse.exe murofet_0.0.0.4.vir.exe PID 1444 wrote to memory of 1388 1444 efse.exe murofet_0.0.0.4.vir.exe PID 1444 wrote to memory of 1388 1444 efse.exe murofet_0.0.0.4.vir.exe PID 1444 wrote to memory of 1388 1444 efse.exe murofet_0.0.0.4.vir.exe PID 1444 wrote to memory of 1388 1444 efse.exe murofet_0.0.0.4.vir.exe PID 1444 wrote to memory of 1604 1444 efse.exe WinMail.exe PID 1444 wrote to memory of 1604 1444 efse.exe WinMail.exe PID 1444 wrote to memory of 1604 1444 efse.exe WinMail.exe PID 1444 wrote to memory of 1604 1444 efse.exe WinMail.exe PID 1444 wrote to memory of 1604 1444 efse.exe WinMail.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1388 wrote to memory of 1836 1388 murofet_0.0.0.4.vir.exe cmd.exe PID 1444 wrote to memory of 1608 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1608 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1608 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1608 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1608 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 468 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 468 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 468 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 468 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 468 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 2008 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 2008 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 2008 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 2008 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 2008 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1452 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1452 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1452 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1452 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1452 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1056 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1056 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1056 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1056 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1056 1444 efse.exe DllHost.exe PID 1444 wrote to memory of 1784 1444 efse.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
efse.exepid process 1444 efse.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1604 WinMail.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
murofet_0.0.0.4.vir.exeefse.exepid process 1388 murofet_0.0.0.4.vir.exe 1388 murofet_0.0.0.4.vir.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe 1444 efse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
murofet_0.0.0.4.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1388 murofet_0.0.0.4.vir.exe Token: SeSecurityPrivilege 1388 murofet_0.0.0.4.vir.exe Token: SeSecurityPrivilege 1388 murofet_0.0.0.4.vir.exe Token: SeManageVolumePrivilege 1604 WinMail.exe Token: SeSecurityPrivilege 1836 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\murofet_0.0.0.4.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe"C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7c97e8a7.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Temp\tmp7c97e8a7.bat
-
C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe
-
C:\Users\Admin\AppData\Roaming\Avuzuf\efse.exe
-
C:\Users\Admin\AppData\Roaming\Rykowe\giyk.ykl
-
\Users\Admin\AppData\Roaming\Avuzuf\efse.exe
-
memory/1444-1-0x0000000000000000-mapping.dmp
-
memory/1604-17-0x0000000003B40000-0x0000000003B42000-memory.dmpFilesize
8KB
-
memory/1604-21-0x0000000003E10000-0x0000000003E12000-memory.dmpFilesize
8KB
-
memory/1604-14-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1604-15-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1604-16-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1604-9-0x00000000038A0000-0x0000000003AA0000-memory.dmpFilesize
2.0MB
-
memory/1604-18-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1604-19-0x0000000003F60000-0x0000000003F62000-memory.dmpFilesize
8KB
-
memory/1604-20-0x0000000003F70000-0x0000000003F72000-memory.dmpFilesize
8KB
-
memory/1604-10-0x00000000039A0000-0x0000000003AA0000-memory.dmpFilesize
1024KB
-
memory/1604-22-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/1604-23-0x0000000003E10000-0x0000000003E12000-memory.dmpFilesize
8KB
-
memory/1604-24-0x0000000003E30000-0x0000000003E32000-memory.dmpFilesize
8KB
-
memory/1604-4-0x00000000038A0000-0x00000000039A0000-memory.dmpFilesize
1024KB
-
memory/1604-8-0x00000000038A0000-0x00000000039A0000-memory.dmpFilesize
1024KB
-
memory/1604-6-0x00000000038A0000-0x0000000003AA0000-memory.dmpFilesize
2.0MB
-
memory/1836-27-0x000000000006BA88-mapping.dmp
-
memory/1836-25-0x0000000000050000-0x000000000007C000-memory.dmpFilesize
176KB