Analysis
-
max time kernel
128s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 15:19
Static task
static1
Behavioral task
behavioral1
Sample
05a2116ecfc9309b34006fabff6d40d4.exe
Resource
win7v20201028
General
-
Target
05a2116ecfc9309b34006fabff6d40d4.exe
-
Size
990KB
-
MD5
05a2116ecfc9309b34006fabff6d40d4
-
SHA1
63bcad12e9cd7805c11061d5f59fdffba1bc88b0
-
SHA256
682257a6e10dab11aefd8ab37dbe84de4537eaf592e3b3b13240098241cdd5aa
-
SHA512
fe0103dac5f3c7dd931534ef3e4ae3d866fb5d118b3a2b7e0c9d1ffc97618b61c26e4030e3fd6d250914bc3ccd0ba227717aad7e97172ffe0da1790ab345a541
Malware Config
Extracted
matiex
https://api.telegram.org/bot1474029845:AAESF02q0JZytndFFaKINAGOHrylDk8NpJA/sendMessage?chat_id=1481651786
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-14-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1212-15-0x0000000000471BBE-mapping.dmp family_matiex behavioral1/memory/1212-17-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1212-16-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 5 checkip.dyndns.org 10 freegeoip.app -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 05a2116ecfc9309b34006fabff6d40d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process target process PID 684 set thread context of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 set thread context of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exepid process 684 05a2116ecfc9309b34006fabff6d40d4.exe 684 05a2116ecfc9309b34006fabff6d40d4.exe 684 05a2116ecfc9309b34006fabff6d40d4.exe 1716 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe 1212 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process Token: SeDebugPrivilege 684 05a2116ecfc9309b34006fabff6d40d4.exe Token: SeDebugPrivilege 1716 05a2116ecfc9309b34006fabff6d40d4.exe Token: SeDebugPrivilege 1212 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exepid process 1212 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process target process PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 684 wrote to memory of 1716 684 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1716 wrote to memory of 1212 1716 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 1212 wrote to memory of 1976 1212 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe PID 1212 wrote to memory of 1976 1212 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe PID 1212 wrote to memory of 1976 1212 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe PID 1212 wrote to memory of 1976 1212 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"{path}"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-1-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/684-3-0x0000000000610000-0x0000000000624000-memory.dmpFilesize
80KB
-
memory/684-4-0x0000000007DB0000-0x0000000007E65000-memory.dmpFilesize
724KB
-
memory/684-0-0x0000000073D30000-0x000000007441E000-memory.dmpFilesize
6.9MB
-
memory/1212-14-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1212-18-0x0000000073D30000-0x000000007441E000-memory.dmpFilesize
6.9MB
-
memory/1212-16-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1212-17-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1212-15-0x0000000000471BBE-mapping.dmp
-
memory/1716-5-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/1716-13-0x0000000005620000-0x00000000056BD000-memory.dmpFilesize
628KB
-
memory/1716-9-0x0000000073D30000-0x000000007441E000-memory.dmpFilesize
6.9MB
-
memory/1716-8-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/1716-7-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/1716-6-0x00000000004868BA-mapping.dmp
-
memory/1976-21-0x0000000000000000-mapping.dmp