Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 15:24
Static task
static1
Behavioral task
behavioral1
Sample
Payment CoPY.scr
Resource
win7v20201028
General
-
Target
Payment CoPY.scr
-
Size
1.0MB
-
MD5
5687fc521f3ccd7d3176d9ed2daef426
-
SHA1
34c91e6ddf19a70417c0c140de3ec159873becc4
-
SHA256
bc64ddf551da94841af6b93a14a69de12ddeae5ba720fea5c4bf8ff95a14ada1
-
SHA512
4e3a384df767ec9235d856eeec03ac6746eabd098fc0b7b66708a4b233591a8814187f0815fb4192295793aab5d484e66b85a72fc85462fa2006cc7f3f620024
Malware Config
Extracted
Protocol: ftp- Host:
ftp.manmodesign-trade.com - Port:
21 - Username:
try@manmodesign-trade.com - Password:
MMother189
Extracted
matiex
Protocol: ftp- Host:
ftp://ftp.manmodesign-trade.com/ - Port:
21 - Username:
try@manmodesign-trade.com - Password:
MMother189
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/432-9-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/432-11-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/432-10-0x000000000047218E-mapping.dmp family_matiex behavioral1/memory/432-12-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment CoPY.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment CoPY.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment CoPY.scr -
Drops startup file 1 IoCs
Processes:
Payment CoPY.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appdata.url Payment CoPY.scr -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 5 checkip.dyndns.org 10 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment CoPY.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment CoPY.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment CoPY.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment CoPY.scrdescription pid process target process PID 1924 set thread context of 432 1924 Payment CoPY.scr Payment CoPY.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrpid process 1924 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr 432 Payment CoPY.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrdescription pid process Token: SeDebugPrivilege 1924 Payment CoPY.scr Token: SeDebugPrivilege 432 Payment CoPY.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment CoPY.scrpid process 432 Payment CoPY.scr -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrdescription pid process target process PID 1924 wrote to memory of 1260 1924 Payment CoPY.scr schtasks.exe PID 1924 wrote to memory of 1260 1924 Payment CoPY.scr schtasks.exe PID 1924 wrote to memory of 1260 1924 Payment CoPY.scr schtasks.exe PID 1924 wrote to memory of 1260 1924 Payment CoPY.scr schtasks.exe PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 1924 wrote to memory of 432 1924 Payment CoPY.scr Payment CoPY.scr PID 432 wrote to memory of 1340 432 Payment CoPY.scr netsh.exe PID 432 wrote to memory of 1340 432 Payment CoPY.scr netsh.exe PID 432 wrote to memory of 1340 432 Payment CoPY.scr netsh.exe PID 432 wrote to memory of 1340 432 Payment CoPY.scr netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr"C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr" /S1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUJBHombeDe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A21.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr"{path}"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5A21.tmpMD5
3426adf6342b52d3da258010ea7258a2
SHA1af307d9bf6789d7027d3c41ab80c5d2774f2f3a7
SHA2567dd79fdc25566d8ad6a82fa857347a00f70c07708326ef9294262baf9af46be5
SHA512de3958aa3327f5708c914031d657f0d722661e4be88f6723cfc1e085fd054a6f1a2a1f3e13ee7d8d490450766c4aad76f96b0c6e6d1f38770f3bb0c461e159b7
-
memory/432-9-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/432-11-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/432-10-0x000000000047218E-mapping.dmp
-
memory/432-12-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/432-13-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1260-7-0x0000000000000000-mapping.dmp
-
memory/1340-16-0x0000000000000000-mapping.dmp
-
memory/1924-2-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1924-3-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/1924-5-0x00000000004A0000-0x00000000004AE000-memory.dmpFilesize
56KB
-
memory/1924-6-0x0000000005470000-0x0000000005514000-memory.dmpFilesize
656KB