Analysis
-
max time kernel
37s -
max time network
33s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
ae7df639d022f1b5c905da288b7b96ec.exe
Resource
win7v20201028
General
-
Target
ae7df639d022f1b5c905da288b7b96ec.exe
-
Size
796KB
-
MD5
ae7df639d022f1b5c905da288b7b96ec
-
SHA1
33ed97231b65d0c7388de55ff262f6c778b0e144
-
SHA256
5267ff61c4ea8ae53b6c1566e90464e062db1f16704d04c4d1f6653e0a3ccc95
-
SHA512
f3272dff37fae2e28e05d06d8e39da8c7f4b6f0f80af57a3c84f225c6259580e3a0a7356cdd81d966d059946487b03d1ee417f91fda228720e46cf51e5c8b7b0
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.metauxsud.com - Port:
587 - Username:
mtoks@metauxsud.com - Password:
Tx$6#dMqO7up
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-8-0x000000000046CA3E-mapping.dmp family_matiex behavioral1/memory/1756-7-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1756-9-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1756-10-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 936 cmd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 freegeoip.app 11 freegeoip.app 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ae7df639d022f1b5c905da288b7b96ec.exedescription pid process target process PID 1916 set thread context of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ae7df639d022f1b5c905da288b7b96ec.exepid process 1756 ae7df639d022f1b5c905da288b7b96ec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ae7df639d022f1b5c905da288b7b96ec.exeae7df639d022f1b5c905da288b7b96ec.exedescription pid process Token: SeDebugPrivilege 1916 ae7df639d022f1b5c905da288b7b96ec.exe Token: SeDebugPrivilege 1756 ae7df639d022f1b5c905da288b7b96ec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ae7df639d022f1b5c905da288b7b96ec.exepid process 1756 ae7df639d022f1b5c905da288b7b96ec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ae7df639d022f1b5c905da288b7b96ec.exeae7df639d022f1b5c905da288b7b96ec.execmd.exedescription pid process target process PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1916 wrote to memory of 1756 1916 ae7df639d022f1b5c905da288b7b96ec.exe ae7df639d022f1b5c905da288b7b96ec.exe PID 1756 wrote to memory of 936 1756 ae7df639d022f1b5c905da288b7b96ec.exe cmd.exe PID 1756 wrote to memory of 936 1756 ae7df639d022f1b5c905da288b7b96ec.exe cmd.exe PID 1756 wrote to memory of 936 1756 ae7df639d022f1b5c905da288b7b96ec.exe cmd.exe PID 1756 wrote to memory of 936 1756 ae7df639d022f1b5c905da288b7b96ec.exe cmd.exe PID 936 wrote to memory of 692 936 cmd.exe choice.exe PID 936 wrote to memory of 692 936 cmd.exe choice.exe PID 936 wrote to memory of 692 936 cmd.exe choice.exe PID 936 wrote to memory of 692 936 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae7df639d022f1b5c905da288b7b96ec.exe"C:\Users\Admin\AppData\Local\Temp\ae7df639d022f1b5c905da288b7b96ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ae7df639d022f1b5c905da288b7b96ec.exe"C:\Users\Admin\AppData\Local\Temp\ae7df639d022f1b5c905da288b7b96ec.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\ae7df639d022f1b5c905da288b7b96ec.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-15-0x0000000000000000-mapping.dmp
-
memory/936-14-0x0000000000000000-mapping.dmp
-
memory/1756-8-0x000000000046CA3E-mapping.dmp
-
memory/1756-7-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1756-9-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1756-10-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1756-11-0x0000000074530000-0x0000000074C1E000-memory.dmpFilesize
6.9MB
-
memory/1916-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1916-3-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/1916-5-0x0000000000920000-0x000000000093F000-memory.dmpFilesize
124KB
-
memory/1916-6-0x0000000000940000-0x000000000094D000-memory.dmpFilesize
52KB