Analysis
-
max time kernel
104s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 08:02
Static task
static1
Behavioral task
behavioral1
Sample
payment invoice090909000.exe
Resource
win7v20201028
General
-
Target
payment invoice090909000.exe
-
Size
478KB
-
MD5
5ce9199ca2f9bbfb99cf5dd672e884af
-
SHA1
484ce13dc8aed2309c2bbeb25b0136bbe5228114
-
SHA256
9a14ef7dd61e214e5d8f0ed0e4e98efdf3b6a97794e12e6c74811f85bf0fe021
-
SHA512
509af31de428567ab35be085259e78b88ddf0627c26baaf7d1c54099b531798815a436638523aae5ace4ea4017634057ff197abc579cc38ceb2841b14250ebfa
Malware Config
Extracted
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2484-3-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral2/memory/2484-4-0x000000000047023E-mapping.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org 12 freegeoip.app 13 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment invoice090909000.exedescription pid process target process PID 4092 set thread context of 2484 4092 payment invoice090909000.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 2484 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
payment invoice090909000.exepid process 4092 payment invoice090909000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2484 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
payment invoice090909000.execmd.exeMSBuild.exedescription pid process target process PID 4092 wrote to memory of 2432 4092 payment invoice090909000.exe cmd.exe PID 4092 wrote to memory of 2432 4092 payment invoice090909000.exe cmd.exe PID 4092 wrote to memory of 2432 4092 payment invoice090909000.exe cmd.exe PID 4092 wrote to memory of 2484 4092 payment invoice090909000.exe MSBuild.exe PID 4092 wrote to memory of 2484 4092 payment invoice090909000.exe MSBuild.exe PID 4092 wrote to memory of 2484 4092 payment invoice090909000.exe MSBuild.exe PID 4092 wrote to memory of 2484 4092 payment invoice090909000.exe MSBuild.exe PID 2432 wrote to memory of 2712 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 2712 2432 cmd.exe schtasks.exe PID 2432 wrote to memory of 2712 2432 cmd.exe schtasks.exe PID 2484 wrote to memory of 2280 2484 MSBuild.exe netsh.exe PID 2484 wrote to memory of 2280 2484 MSBuild.exe netsh.exe PID 2484 wrote to memory of 2280 2484 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe"C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xmlMD5
aa2f6636e997aaa0b01fbc78b1dabe52
SHA1fd462100fc91975dcbea8e361cf1eb8a70f6ad54
SHA256d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723
SHA5126540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104
-
memory/2280-14-0x0000000000000000-mapping.dmp
-
memory/2432-2-0x0000000000000000-mapping.dmp
-
memory/2484-11-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/2484-7-0x00000000736B0000-0x0000000073D9E000-memory.dmpFilesize
6.9MB
-
memory/2484-4-0x000000000047023E-mapping.dmp
-
memory/2484-12-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2484-13-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2484-3-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/2484-15-0x0000000006920000-0x0000000006921000-memory.dmpFilesize
4KB
-
memory/2484-16-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/2484-17-0x0000000006840000-0x0000000006841000-memory.dmpFilesize
4KB
-
memory/2712-6-0x0000000000000000-mapping.dmp