Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-08-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
1XrdOdPqR6jBVMu.exe
Resource
win7
General
-
Target
1XrdOdPqR6jBVMu.exe
-
Size
507KB
-
MD5
e5a4d65f4234001c405be18760073317
-
SHA1
9aaf994aa6cee464fde60749d9a1aba698199b41
-
SHA256
021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354
-
SHA512
27892695e298ac1be6f982b97be4a9da56ed31031c3cb83d8e98815d1676442672aa3626a8a14782e638fa988a96dcb3229c72356374f7193fc8ee7469fdcc69
Malware Config
Extracted
matiex
Protocol: smtp- Host:
kin.hosting-mexico.net - Port:
26 - Username:
[email protected] - Password:
VN=m3-pILg4f
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3932-12-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral2/memory/3932-13-0x000000000046D49E-mapping.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 freegeoip.app 14 checkip.dyndns.org 17 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1XrdOdPqR6jBVMu.exedescription pid process target process PID 2076 set thread context of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 9f4b155b157dd601 svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1XrdOdPqR6jBVMu.exe1XrdOdPqR6jBVMu.exepid process 2076 1XrdOdPqR6jBVMu.exe 2076 1XrdOdPqR6jBVMu.exe 2076 1XrdOdPqR6jBVMu.exe 3932 1XrdOdPqR6jBVMu.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
svchost.exe1XrdOdPqR6jBVMu.exe1XrdOdPqR6jBVMu.exedescription pid process Token: SeShutdownPrivilege 804 svchost.exe Token: SeCreatePagefilePrivilege 804 svchost.exe Token: SeDebugPrivilege 2076 1XrdOdPqR6jBVMu.exe Token: SeDebugPrivilege 3932 1XrdOdPqR6jBVMu.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1XrdOdPqR6jBVMu.exe1XrdOdPqR6jBVMu.exedescription pid process target process PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 2076 wrote to memory of 3932 2076 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe netsh.exe PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe netsh.exe PID 3932 wrote to memory of 3100 3932 1XrdOdPqR6jBVMu.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c06096aa9d34190ba8e1bff54a0c0ddd
SHA1f323e5569d5a914edd51a76ed796799457e80098
SHA256f5d012397631bf3b944ef49a26c9f6115dfb7aea516a2bc8a67119d7fc824271
SHA51252cd129e9b28ac080c292724c27bead11af7851a654e8eae2f98fffbea7bfcac3e0542485f531c2e8ca02b4efdfd2836d1e1ad917b43d24bc31ce91c55f3eafe