Analysis
-
max time kernel
105s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-12-2020 17:05
Static task
static1
Behavioral task
behavioral1
Sample
09000000MMM090.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
09000000MMM090.exe
-
Size
461KB
-
MD5
086959707f8687e0764bce8b5c0c6aa3
-
SHA1
316f4aa555ffa7c249253e5a6dc3af68c9bd6ae8
-
SHA256
c6a6df5f1efbeb60a9249cd6561f3eb8cc319de796595aa82180f6762ef6f43a
-
SHA512
d041cf94607a803193c1ce429313c169c89f2920a908b8f4db2b70798be5cc9f2f88c6cd92de33881f9b721ba81d201f6ee2fb59fc1310e09f616bcf2bcc3a5e
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-2-0x0000000000170000-0x00000000001E6000-memory.dmp family_matiex behavioral2/memory/3960-3-0x00000000001E023E-mapping.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org 11 freegeoip.app 12 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
09000000MMM090.exedescription pid process target process PID 576 set thread context of 3960 576 09000000MMM090.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 3960 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
09000000MMM090.exepid process 576 09000000MMM090.exe 576 09000000MMM090.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3960 MSBuild.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
09000000MMM090.exeMSBuild.exedescription pid process target process PID 576 wrote to memory of 3960 576 09000000MMM090.exe MSBuild.exe PID 576 wrote to memory of 3960 576 09000000MMM090.exe MSBuild.exe PID 576 wrote to memory of 3960 576 09000000MMM090.exe MSBuild.exe PID 576 wrote to memory of 3960 576 09000000MMM090.exe MSBuild.exe PID 3960 wrote to memory of 2900 3960 MSBuild.exe netsh.exe PID 3960 wrote to memory of 2900 3960 MSBuild.exe netsh.exe PID 3960 wrote to memory of 2900 3960 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09000000MMM090.exe"C:\Users\Admin\AppData\Local\Temp\09000000MMM090.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\09000000MMM090.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2900-11-0x0000000000000000-mapping.dmp
-
memory/3960-2-0x0000000000170000-0x00000000001E6000-memory.dmpFilesize
472KB
-
memory/3960-3-0x00000000001E023E-mapping.dmp
-
memory/3960-5-0x0000000073330000-0x0000000073A1E000-memory.dmpFilesize
6.9MB
-
memory/3960-8-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/3960-9-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/3960-10-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/3960-12-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/3960-13-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/3960-14-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB