Analysis
-
max time kernel
125s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 17:25
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice.exe
Resource
win7v20201028
General
-
Target
Revised Invoice.exe
-
Size
579KB
-
MD5
cbfb94a41abae103511d729b00687c7a
-
SHA1
f491f44fbbaafb97275cc90ecaa37926534a6151
-
SHA256
b9d37ce3380de623e8225b466fcd061db7f7828a2e39deace159e5c7f3455015
-
SHA512
77bfe24a4b0dcc0badcf0b33fd1da5335fadf0e366db4411b0ca130fecefa288006c06cf5bf363edd1b038619e1f8654e0e88020c454e4b0399d906c17128a59
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
igbrusure@gmail.com - Password:
mrruben0094
Extracted
matiex
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
igbrusure@gmail.com - Password:
mrruben0094
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-34-0x000000000046DDEE-mapping.dmp family_matiex behavioral1/memory/1652-33-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1652-36-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Drops startup file 2 IoCs
Processes:
pOwERsHeLl.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe pOwERsHeLl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe pOwERsHeLl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 1340 set thread context of 1652 1340 Revised Invoice.exe Revised Invoice.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
pOwERsHeLl.exeRevised Invoice.exepid process 1696 pOwERsHeLl.exe 1696 pOwERsHeLl.exe 1652 Revised Invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pOwERsHeLl.exeRevised Invoice.exedescription pid process Token: SeDebugPrivilege 1696 pOwERsHeLl.exe Token: SeDebugPrivilege 1652 Revised Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Revised Invoice.exepid process 1652 Revised Invoice.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 1340 wrote to memory of 1696 1340 Revised Invoice.exe pOwERsHeLl.exe PID 1340 wrote to memory of 1696 1340 Revised Invoice.exe pOwERsHeLl.exe PID 1340 wrote to memory of 1696 1340 Revised Invoice.exe pOwERsHeLl.exe PID 1340 wrote to memory of 1696 1340 Revised Invoice.exe pOwERsHeLl.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe PID 1340 wrote to memory of 1652 1340 Revised Invoice.exe Revised Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1340-32-0x00000000005D0000-0x00000000005DF000-memory.dmpFilesize
60KB
-
memory/1340-3-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/1340-2-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1340-10-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1652-39-0x0000000005675000-0x0000000005686000-memory.dmpFilesize
68KB
-
memory/1652-38-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1652-36-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1652-35-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1652-33-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1652-34-0x000000000046DDEE-mapping.dmp
-
memory/1696-9-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/1696-13-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1696-17-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1696-22-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1696-23-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1696-24-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/1696-31-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1696-14-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1696-11-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1696-12-0x00000000025D2000-0x00000000025D3000-memory.dmpFilesize
4KB
-
memory/1696-8-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/1696-7-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1696-6-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1696-5-0x0000000000000000-mapping.dmp