Analysis
-
max time kernel
77s -
max time network
77s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 03:05
Static task
static1
Behavioral task
behavioral1
Sample
IRS NOTICE LETTER.exe
Resource
win7v20201028
Malware Config
Extracted
matiex
Protocol: smtp- Host:
ckfashion.shop - Port:
26 - Username:
matiex@ckfashion.shop - Password:
123Mat+++
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-11-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1804-12-0x000000000047083E-mapping.dmp family_matiex behavioral1/memory/1804-13-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1804-14-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IRS NOTICE LETTER.exedescription pid process target process PID 1944 set thread context of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
IRS NOTICE LETTER.exepid process 1804 IRS NOTICE LETTER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IRS NOTICE LETTER.exedescription pid process Token: SeDebugPrivilege 1804 IRS NOTICE LETTER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IRS NOTICE LETTER.exepid process 1804 IRS NOTICE LETTER.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
IRS NOTICE LETTER.exeIRS NOTICE LETTER.exedescription pid process target process PID 1944 wrote to memory of 1720 1944 IRS NOTICE LETTER.exe schtasks.exe PID 1944 wrote to memory of 1720 1944 IRS NOTICE LETTER.exe schtasks.exe PID 1944 wrote to memory of 1720 1944 IRS NOTICE LETTER.exe schtasks.exe PID 1944 wrote to memory of 1720 1944 IRS NOTICE LETTER.exe schtasks.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1944 wrote to memory of 1804 1944 IRS NOTICE LETTER.exe IRS NOTICE LETTER.exe PID 1804 wrote to memory of 808 1804 IRS NOTICE LETTER.exe netsh.exe PID 1804 wrote to memory of 808 1804 IRS NOTICE LETTER.exe netsh.exe PID 1804 wrote to memory of 808 1804 IRS NOTICE LETTER.exe netsh.exe PID 1804 wrote to memory of 808 1804 IRS NOTICE LETTER.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IRS NOTICE LETTER.exe"C:\Users\Admin\AppData\Local\Temp\IRS NOTICE LETTER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DhRDIyd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF38.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\IRS NOTICE LETTER.exe"C:\Users\Admin\AppData\Local\Temp\IRS NOTICE LETTER.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDF38.tmpMD5
0a414c46a8834002a8d445c19ecfdaf9
SHA11baebec51cf688c36330a6652fb0a12467a8d041
SHA2569fa4c8bd83e810c37f3190d64c33bb5d202cce3fda83e9c18c1df4466299bbe6
SHA512b1d726ae35f75f6139cbb1e73d7027c5598cab09eda250cf112b1f97b5696b143c01aa11111cd1bf395f7958914561423deafb188ff1dea335fb51e9f11255bf
-
memory/808-18-0x0000000000000000-mapping.dmp
-
memory/1720-9-0x0000000000000000-mapping.dmp
-
memory/1804-12-0x000000000047083E-mapping.dmp
-
memory/1804-11-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1804-13-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1804-14-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1804-15-0x00000000742A0000-0x000000007498E000-memory.dmpFilesize
6.9MB
-
memory/1944-7-0x0000000000670000-0x0000000000676000-memory.dmpFilesize
24KB
-
memory/1944-8-0x0000000005200000-0x0000000005272000-memory.dmpFilesize
456KB
-
memory/1944-6-0x0000000005020000-0x0000000005097000-memory.dmpFilesize
476KB
-
memory/1944-5-0x00000000004B0000-0x00000000004C4000-memory.dmpFilesize
80KB
-
memory/1944-2-0x0000000074320000-0x0000000074A0E000-memory.dmpFilesize
6.9MB
-
memory/1944-3-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB