Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 03:06
Static task
static1
Behavioral task
behavioral1
Sample
Quote.exe
Resource
win7v20201028
Malware Config
Extracted
matiex
https://api.telegram.org/bot1379319539:AAFQ7f96r1-8ijh6-Hym9Weh67R1ZdDQt0g/sendMessage?chat_id=1472166686
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1348-7-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/1348-8-0x000000000047204E-mapping.dmp family_matiex behavioral1/memory/1348-9-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/1348-10-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Quote.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Quote.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Quote.exe -
Drops startup file 1 IoCs
Processes:
Quote.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appdata.url Quote.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Quote.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Quote.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Quote.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quote.exedescription pid process target process PID 1080 set thread context of 1348 1080 Quote.exe Quote.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Quote.exeQuote.exepid process 1080 Quote.exe 1348 Quote.exe 1348 Quote.exe 1348 Quote.exe 1348 Quote.exe 1348 Quote.exe 1348 Quote.exe 1348 Quote.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quote.exeQuote.exedescription pid process Token: SeDebugPrivilege 1080 Quote.exe Token: SeDebugPrivilege 1348 Quote.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Quote.exepid process 1348 Quote.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Quote.exeQuote.exedescription pid process target process PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1080 wrote to memory of 1348 1080 Quote.exe Quote.exe PID 1348 wrote to memory of 112 1348 Quote.exe netsh.exe PID 1348 wrote to memory of 112 1348 Quote.exe netsh.exe PID 1348 wrote to memory of 112 1348 Quote.exe netsh.exe PID 1348 wrote to memory of 112 1348 Quote.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"{path}"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-14-0x0000000000000000-mapping.dmp
-
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB
-
memory/1080-3-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1080-5-0x00000000003A0000-0x00000000003AE000-memory.dmpFilesize
56KB
-
memory/1080-6-0x0000000005900000-0x00000000059BB000-memory.dmpFilesize
748KB
-
memory/1348-7-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1348-8-0x000000000047204E-mapping.dmp
-
memory/1348-9-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1348-10-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1348-11-0x0000000074CF0000-0x00000000753DE000-memory.dmpFilesize
6.9MB