Analysis Overview
SHA256
13a21602d5f5fceadfb7e45828fe76a44dc2dab2932fed665938715af574be9d
Threat Level: Known bad
The file MuRra1N Installer.exe was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Contains code to disable Windows Defender
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 19:48
Reported
2024-06-17 20:08
Platform
win11-20240508-en
Max time kernel
1199s
Max time network
1200s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LimeRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MuRra1N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe"
C:\Users\Admin\Downloads\MuRra1N.exe
"C:\Users\Admin\Downloads\MuRra1N.exe"
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\7f259fe638f74961afe0902f8e73485f /t 2100 /p 436
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
Files
memory/4720-0-0x000000007505E000-0x000000007505F000-memory.dmp
memory/4720-1-0x0000000000B10000-0x0000000001AC6000-memory.dmp
memory/4720-2-0x000000000B890000-0x000000000CBFE000-memory.dmp
memory/4720-3-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-4-0x00000000091A0000-0x0000000009746000-memory.dmp
memory/4720-5-0x0000000008CD0000-0x0000000008D6C000-memory.dmp
memory/4720-6-0x0000000009010000-0x00000000090A2000-memory.dmp
memory/4720-7-0x0000000009190000-0x0000000009198000-memory.dmp
memory/4720-8-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-9-0x000000000A4E0000-0x000000000A518000-memory.dmp
memory/4720-10-0x000000000A4A0000-0x000000000A4AE000-memory.dmp
memory/4720-11-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-12-0x000000007505E000-0x000000007505F000-memory.dmp
memory/4720-13-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-14-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-15-0x0000000075050000-0x0000000075801000-memory.dmp
memory/4720-43-0x0000000075050000-0x0000000075801000-memory.dmp
C:\Users\Admin\Downloads\MuRra1N.exe
| MD5 | 29cfe05afad44fdbc83fa3671891688f |
| SHA1 | 429de9b3429abd612c7c8343614c62e17ff4130b |
| SHA256 | 1479cd2a1a05c905f63483a40d9ec251f044161a81fb585e4d7d469b7bc291af |
| SHA512 | c749c45924d4059f30ba918b31856cea7b6c74e4ebd982dc2dd05c3de3a30014ac38e45eeb796c447450bb07e02c2da00c61126709995ff4ff3bf0266ad842e5 |
memory/436-46-0x00000000002A0000-0x0000000001316000-memory.dmp
C:\Users\Admin\Downloads\MuRra1N.exe.config
| MD5 | 1d1c996b6ff660cdb29884546d94d7f5 |
| SHA1 | 259123cf0e5bfeba4a44704858751042f1b036c4 |
| SHA256 | 7ed841b0dfa126544b3f115a70584a2a6b0e3772b937ae1f3217339cbdf899c7 |
| SHA512 | 825e1ad2696d1516714c619a1a2187ffa3b34dd4d6d231ed7d2abb1493fdbc601417935ac8ac7d7abecf6ad920210a88d5a8c1831d4194392aa0f771c6e63e58 |
memory/436-48-0x00000000002A0000-0x0000000001316000-memory.dmp
memory/436-49-0x00000000002A0000-0x0000000001316000-memory.dmp
memory/436-50-0x0000000007E30000-0x0000000007E3A000-memory.dmp
memory/436-51-0x0000000007EC0000-0x0000000007F16000-memory.dmp
memory/436-52-0x000000000AF10000-0x000000000AF76000-memory.dmp
memory/436-55-0x00000000002A0000-0x0000000001316000-memory.dmp
C:\Users\Admin\Downloads\Misc\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
C:\Users\Admin\Downloads\MISC\PORTS.dat
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
memory/436-66-0x000000000D7A0000-0x000000000DAF7000-memory.dmp