Analysis
-
max time kernel
69s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
2021 NEW LIST.exe
Resource
win7v20201028
General
-
Target
2021 NEW LIST.exe
-
Size
951KB
-
MD5
0e23d8747ee8389cd5efdcf703ffc520
-
SHA1
1eef4df1079c5a328473c9bef8db9a1b7eb1b518
-
SHA256
0bd4a6df9d752c54589dca027df07822dc2595fa1a73a48be50e7f4e5e7116fe
-
SHA512
912247043ec09456aa74fb7af66be27db5a48b83fcc73c36c0740a15538bb52262a7478c902fa52db53a9433124f8de601fa058f9e35e9b3a31976e418bde50b
Malware Config
Extracted
Protocol: smtp- Host:
mail.gschofield.com - Port:
587 - Username:
gschofield@gschofield.com - Password:
gaston1955
Extracted
matiex
Protocol: smtp- Host:
mail.gschofield.com - Port:
587 - Username:
gschofield@gschofield.com - Password:
gaston1955
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1188-14-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral2/memory/1188-15-0x000000000047093E-mapping.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org 15 freegeoip.app 16 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2021 NEW LIST.exedescription pid process target process PID 832 set thread context of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exepid process 832 2021 NEW LIST.exe 832 2021 NEW LIST.exe 832 2021 NEW LIST.exe 1188 2021 NEW LIST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exedescription pid process Token: SeDebugPrivilege 832 2021 NEW LIST.exe Token: SeDebugPrivilege 1188 2021 NEW LIST.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2021 NEW LIST.exepid process 1188 2021 NEW LIST.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2021 NEW LIST.exe2021 NEW LIST.exedescription pid process target process PID 832 wrote to memory of 936 832 2021 NEW LIST.exe schtasks.exe PID 832 wrote to memory of 936 832 2021 NEW LIST.exe schtasks.exe PID 832 wrote to memory of 936 832 2021 NEW LIST.exe schtasks.exe PID 832 wrote to memory of 1336 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1336 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1336 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 832 wrote to memory of 1188 832 2021 NEW LIST.exe 2021 NEW LIST.exe PID 1188 wrote to memory of 2248 1188 2021 NEW LIST.exe netsh.exe PID 1188 wrote to memory of 2248 1188 2021 NEW LIST.exe netsh.exe PID 1188 wrote to memory of 2248 1188 2021 NEW LIST.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aTQwKODjZjkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F55.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"C:\Users\Admin\AppData\Local\Temp\2021 NEW LIST.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6F55.tmpMD5
74e8a16859729a34e316a9fc4071bb2a
SHA1e2117370b2db241e9ffecf8f2635aaac3854db48
SHA256814d2047d0022d4476867adba72ed6ad7f38375ac64518d68cb79af6f9257c8b
SHA5124be022a6772ec58dbe00dd12181ee8b041f6ee7099be70a40def2e6f2f3024f0660edfc3cd357ebc7c8790665b8fdf90594d8849a52eb2257845c50f5e2e450d
-
memory/832-11-0x0000000006120000-0x00000000061C8000-memory.dmpFilesize
672KB
-
memory/832-8-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/832-2-0x0000000073BB0000-0x000000007429E000-memory.dmpFilesize
6.9MB
-
memory/832-7-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/832-3-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/832-9-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/832-10-0x0000000005340000-0x0000000005363000-memory.dmpFilesize
140KB
-
memory/832-5-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/832-6-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/936-12-0x0000000000000000-mapping.dmp
-
memory/1188-14-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1188-15-0x000000000047093E-mapping.dmp
-
memory/1188-16-0x0000000073BB0000-0x000000007429E000-memory.dmpFilesize
6.9MB
-
memory/1188-21-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1188-22-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1188-26-0x0000000006D20000-0x0000000006D21000-memory.dmpFilesize
4KB
-
memory/2248-25-0x0000000000000000-mapping.dmp