Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-08-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
1XrdOdPqR6jBVMu.exe
Resource
win7
General
-
Target
1XrdOdPqR6jBVMu.exe
-
Size
507KB
-
MD5
e5a4d65f4234001c405be18760073317
-
SHA1
9aaf994aa6cee464fde60749d9a1aba698199b41
-
SHA256
021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354
-
SHA512
27892695e298ac1be6f982b97be4a9da56ed31031c3cb83d8e98815d1676442672aa3626a8a14782e638fa988a96dcb3229c72356374f7193fc8ee7469fdcc69
Malware Config
Extracted
matiex
Protocol: smtp- Host:
kin.hosting-mexico.net - Port:
26 - Username:
[email protected] - Password:
VN=m3-pILg4f
Signatures
-
Matiex Main Payload 2 IoCs
resource yara_rule behavioral2/memory/3932-12-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral2/memory/3932-13-0x000000000046D49E-mapping.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 freegeoip.app 14 checkip.dyndns.org 17 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2076 set thread context of 3932 2076 1XrdOdPqR6jBVMu.exe 75 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 9f4b155b157dd601 svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2076 1XrdOdPqR6jBVMu.exe 2076 1XrdOdPqR6jBVMu.exe 2076 1XrdOdPqR6jBVMu.exe 3932 1XrdOdPqR6jBVMu.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 804 svchost.exe Token: SeCreatePagefilePrivilege 804 svchost.exe Token: SeDebugPrivilege 2076 1XrdOdPqR6jBVMu.exe Token: SeDebugPrivilege 3932 1XrdOdPqR6jBVMu.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 75 PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe 77 PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe 77 PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3100
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:804