Analysis
-
max time kernel
81s -
max time network
82s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
2021 NEW LIST.exe
Resource
win7v20201028
General
-
Target
2021 NEW LIST.exe
-
Size
951KB
-
MD5
0e23d8747ee8389cd5efdcf703ffc520
-
SHA1
1eef4df1079c5a328473c9bef8db9a1b7eb1b518
-
SHA256
0bd4a6df9d752c54589dca027df07822dc2595fa1a73a48be50e7f4e5e7116fe
-
SHA512
912247043ec09456aa74fb7af66be27db5a48b83fcc73c36c0740a15538bb52262a7478c902fa52db53a9433124f8de601fa058f9e35e9b3a31976e418bde50b
Malware Config
Extracted
Protocol: smtp- Host:
mail.gschofield.com - Port:
587 - Username:
gschofield@gschofield.com - Password:
gaston1955
Extracted
matiex
Protocol: smtp- Host:
mail.gschofield.com - Port:
587 - Username:
gschofield@gschofield.com - Password:
gaston1955
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/532-10-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/532-11-0x000000000047093E-mapping.dmp family_matiex behavioral1/memory/532-13-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2021 NEW LIST.exedescription pid process target process PID 544 set thread context of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exepid process 544 2021 NEW LIST.exe 532 2021 NEW LIST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exedescription pid process Token: SeDebugPrivilege 544 2021 NEW LIST.exe Token: SeDebugPrivilege 532 2021 NEW LIST.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2021 NEW LIST.exepid process 532 2021 NEW LIST.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exedescription pid process target process PID 544 wrote to memory of 1744 544 2021 NEW LIST.exe schtasks.exe PID 544 wrote to memory of 1744 544 2021 NEW LIST.exe schtasks.exe PID 544 wrote to memory of 1744 544 2021 NEW LIST.exe schtasks.exe PID 544 wrote to memory of 1744 544 2021 NEW LIST.exe schtasks.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 544 wrote to memory of 532 544 2021 NEW LIST.exe 2021 NEW LIST.exe PID 532 wrote to memory of 1408 532 2021 NEW LIST.exe netsh.exe PID 532 wrote to memory of 1408 532 2021 NEW LIST.exe netsh.exe PID 532 wrote to memory of 1408 532 2021 NEW LIST.exe netsh.exe PID 532 wrote to memory of 1408 532 2021 NEW LIST.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aTQwKODjZjkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4CA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF4CA.tmpMD5
85361bf4d0bfab500ed968ec9c56624c
SHA13d1ec2210c4b6202e10e9983b25035ce7576a173
SHA256ac13ecb279b8875d86ff517541f5aa8f98e92e18baa0c7b6e52523baaf23eb33
SHA5129f11e331c13a0a1876835131a327c9f46b7b8ad3cd0c959e356323e841bd8c0592bd0e4ca42348ab75099a28e53d4872561bb30cf3f49344ceab8b060711d243
-
memory/532-12-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/532-15-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/532-18-0x0000000005925000-0x0000000005936000-memory.dmpFilesize
68KB
-
memory/532-13-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/532-11-0x000000000047093E-mapping.dmp
-
memory/532-10-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/544-3-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/544-2-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/544-7-0x0000000005290000-0x0000000005338000-memory.dmpFilesize
672KB
-
memory/544-5-0x00000000008C0000-0x00000000008E3000-memory.dmpFilesize
140KB
-
memory/544-6-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1408-16-0x0000000000000000-mapping.dmp
-
memory/1408-17-0x0000000076881000-0x0000000076883000-memory.dmpFilesize
8KB
-
memory/1744-8-0x0000000000000000-mapping.dmp