Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-12-2020 15:24
Static task
static1
Behavioral task
behavioral1
Sample
Payment CoPY.scr
Resource
win7v20201028
General
-
Target
Payment CoPY.scr
-
Size
1.0MB
-
MD5
5687fc521f3ccd7d3176d9ed2daef426
-
SHA1
34c91e6ddf19a70417c0c140de3ec159873becc4
-
SHA256
bc64ddf551da94841af6b93a14a69de12ddeae5ba720fea5c4bf8ff95a14ada1
-
SHA512
4e3a384df767ec9235d856eeec03ac6746eabd098fc0b7b66708a4b233591a8814187f0815fb4192295793aab5d484e66b85a72fc85462fa2006cc7f3f620024
Malware Config
Extracted
Protocol: ftp- Host:
ftp.manmodesign-trade.com - Port:
21 - Username:
try@manmodesign-trade.com - Password:
MMother189
Extracted
matiex
Protocol: ftp- Host:
ftp://ftp.manmodesign-trade.com/ - Port:
21 - Username:
try@manmodesign-trade.com - Password:
MMother189
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3912-14-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral2/memory/3912-15-0x000000000047218E-mapping.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment CoPY.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment CoPY.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment CoPY.scr -
Drops startup file 1 IoCs
Processes:
Payment CoPY.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appdata.url Payment CoPY.scr -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org 18 freegeoip.app 19 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment CoPY.scrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment CoPY.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Payment CoPY.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment CoPY.scrdescription pid process target process PID 4092 set thread context of 3912 4092 Payment CoPY.scr Payment CoPY.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrpid process 4092 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr 3912 Payment CoPY.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Payment CoPY.scrpid process 3912 Payment CoPY.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrdescription pid process Token: SeDebugPrivilege 4092 Payment CoPY.scr Token: SeDebugPrivilege 3912 Payment CoPY.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment CoPY.scrpid process 3912 Payment CoPY.scr -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment CoPY.scrPayment CoPY.scrdescription pid process target process PID 4092 wrote to memory of 4056 4092 Payment CoPY.scr schtasks.exe PID 4092 wrote to memory of 4056 4092 Payment CoPY.scr schtasks.exe PID 4092 wrote to memory of 4056 4092 Payment CoPY.scr schtasks.exe PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 4092 wrote to memory of 3912 4092 Payment CoPY.scr Payment CoPY.scr PID 3912 wrote to memory of 1336 3912 Payment CoPY.scr netsh.exe PID 3912 wrote to memory of 1336 3912 Payment CoPY.scr netsh.exe PID 3912 wrote to memory of 1336 3912 Payment CoPY.scr netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr"C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr" /S1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUJBHombeDe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE862.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment CoPY.scr"{path}"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment CoPY.scr.logMD5
25d70e1d452dc2ea38e30072c87daf70
SHA1c43cb23be3d630afa0ff98f719ed56ea683b2397
SHA256384dc26fb17aa370c7543a5d63366cd00df1eaf9e106168a433e0ef8c5ba1783
SHA5120133fb665f1df24c0fcda1444da64e3bb04d5ad4166617075342f7dbae5d772be6ec66e0f7f091d1c392985ba2bf3ff5f56a90a61e7115cba264b11e528e28d5
-
C:\Users\Admin\AppData\Local\Temp\tmpE862.tmpMD5
b7662de30a68cdbf1663e1f12862aa11
SHA137b244d4a3d8db2fa0a5650f88dac31a6465ce00
SHA256d7f17f33b396da2ad12cd6af555de2a62381a7cab4ffc2e91008a774be152c95
SHA51238001f30a83a644ada06f490f79f4bb74f63084135249ca2c25f1fbab2e026f2da92f9e488484918faf8407f44ace71f7bc2ce5221846b90595e7a424edb1f3a
-
memory/1336-25-0x0000000000000000-mapping.dmp
-
memory/3912-26-0x0000000006E40000-0x0000000006E41000-memory.dmpFilesize
4KB
-
memory/3912-24-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/3912-17-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/3912-15-0x000000000047218E-mapping.dmp
-
memory/3912-14-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4056-12-0x0000000000000000-mapping.dmp
-
memory/4092-7-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/4092-11-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/4092-10-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/4092-9-0x0000000006240000-0x00000000062E4000-memory.dmpFilesize
656KB
-
memory/4092-8-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/4092-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/4092-6-0x0000000004C60000-0x0000000004C6E000-memory.dmpFilesize
56KB
-
memory/4092-5-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/4092-3-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB