Analysis
-
max time kernel
91s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 15:19
Static task
static1
Behavioral task
behavioral1
Sample
05a2116ecfc9309b34006fabff6d40d4.exe
Resource
win7v20201028
General
-
Target
05a2116ecfc9309b34006fabff6d40d4.exe
-
Size
990KB
-
MD5
05a2116ecfc9309b34006fabff6d40d4
-
SHA1
63bcad12e9cd7805c11061d5f59fdffba1bc88b0
-
SHA256
682257a6e10dab11aefd8ab37dbe84de4537eaf592e3b3b13240098241cdd5aa
-
SHA512
fe0103dac5f3c7dd931534ef3e4ae3d866fb5d118b3a2b7e0c9d1ffc97618b61c26e4030e3fd6d250914bc3ccd0ba227717aad7e97172ffe0da1790ab345a541
Malware Config
Extracted
matiex
https://api.telegram.org/bot1474029845:AAESF02q0JZytndFFaKINAGOHrylDk8NpJA/sendMessage?chat_id=1481651786
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2064-27-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral2/memory/2064-28-0x0000000000471BBE-mapping.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a2116ecfc9309b34006fabff6d40d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org 20 freegeoip.app 21 freegeoip.app -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 05a2116ecfc9309b34006fabff6d40d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05a2116ecfc9309b34006fabff6d40d4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 05a2116ecfc9309b34006fabff6d40d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process target process PID 4012 set thread context of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 set thread context of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exepid process 4012 05a2116ecfc9309b34006fabff6d40d4.exe 4012 05a2116ecfc9309b34006fabff6d40d4.exe 4012 05a2116ecfc9309b34006fabff6d40d4.exe 4012 05a2116ecfc9309b34006fabff6d40d4.exe 2256 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe 2064 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process Token: SeDebugPrivilege 4012 05a2116ecfc9309b34006fabff6d40d4.exe Token: SeDebugPrivilege 2256 05a2116ecfc9309b34006fabff6d40d4.exe Token: SeDebugPrivilege 2064 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exepid process 2064 05a2116ecfc9309b34006fabff6d40d4.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exe05a2116ecfc9309b34006fabff6d40d4.exedescription pid process target process PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 4012 wrote to memory of 2256 4012 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2256 wrote to memory of 2064 2256 05a2116ecfc9309b34006fabff6d40d4.exe 05a2116ecfc9309b34006fabff6d40d4.exe PID 2064 wrote to memory of 2488 2064 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe PID 2064 wrote to memory of 2488 2064 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe PID 2064 wrote to memory of 2488 2064 05a2116ecfc9309b34006fabff6d40d4.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"{path}"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\05a2116ecfc9309b34006fabff6d40d4.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\05a2116ecfc9309b34006fabff6d40d4.exe.logMD5
852720e374b75adf5ae2a37c78d3342c
SHA13504725b4c820669b7e0af51a8b311e33c7c95a6
SHA256c1a26c558f3b8104d07618d38f72b7c2a58150fa8eafa2ac5ea1e6f5818ecb11
SHA5120e076e46755f291a26091670c8e66f4f7872fbefb8e86c694f86af769c94ad8274d6ceb0b8dbd8985fec7d9344e8530d9d78315d9aa5e299eab5bccf177c7da1
-
memory/2064-38-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/2064-29-0x00000000733D0000-0x0000000073ABE000-memory.dmpFilesize
6.9MB
-
memory/2064-28-0x0000000000471BBE-mapping.dmp
-
memory/2064-27-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/2256-13-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2256-14-0x00000000004868BA-mapping.dmp
-
memory/2256-24-0x0000000007DE0000-0x0000000007E7D000-memory.dmpFilesize
628KB
-
memory/2256-16-0x00000000733D0000-0x0000000073ABE000-memory.dmpFilesize
6.9MB
-
memory/2488-37-0x0000000000000000-mapping.dmp
-
memory/4012-6-0x0000000009C20000-0x0000000009C21000-memory.dmpFilesize
4KB
-
memory/4012-0-0x00000000733D0000-0x0000000073ABE000-memory.dmpFilesize
6.9MB
-
memory/4012-7-0x0000000009460000-0x0000000009474000-memory.dmpFilesize
80KB
-
memory/4012-12-0x000000000A1C0000-0x000000000A1C1000-memory.dmpFilesize
4KB
-
memory/4012-9-0x0000000009B60000-0x0000000009B61000-memory.dmpFilesize
4KB
-
memory/4012-5-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/4012-4-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/4012-3-0x0000000007860000-0x0000000007861000-memory.dmpFilesize
4KB
-
memory/4012-8-0x0000000009AA0000-0x0000000009B55000-memory.dmpFilesize
724KB
-
memory/4012-1-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB