Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 17:25
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice.exe
Resource
win7v20201028
General
-
Target
Revised Invoice.exe
-
Size
579KB
-
MD5
cbfb94a41abae103511d729b00687c7a
-
SHA1
f491f44fbbaafb97275cc90ecaa37926534a6151
-
SHA256
b9d37ce3380de623e8225b466fcd061db7f7828a2e39deace159e5c7f3455015
-
SHA512
77bfe24a4b0dcc0badcf0b33fd1da5335fadf0e366db4411b0ca130fecefa288006c06cf5bf363edd1b038619e1f8654e0e88020c454e4b0399d906c17128a59
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
igbrusure@gmail.com - Password:
mrruben0094
Extracted
matiex
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
igbrusure@gmail.com - Password:
mrruben0094
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-28-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral2/memory/1420-29-0x000000000046DDEE-mapping.dmp family_matiex -
Drops startup file 2 IoCs
Processes:
pOwERsHeLl.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe pOwERsHeLl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe pOwERsHeLl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 freegeoip.app 18 freegeoip.app 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 4092 set thread context of 1420 4092 Revised Invoice.exe Revised Invoice.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pOwERsHeLl.exeRevised Invoice.exeRevised Invoice.exepid process 2848 pOwERsHeLl.exe 2848 pOwERsHeLl.exe 2848 pOwERsHeLl.exe 4092 Revised Invoice.exe 4092 Revised Invoice.exe 1420 Revised Invoice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Revised Invoice.exepid process 1420 Revised Invoice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pOwERsHeLl.exeRevised Invoice.exeRevised Invoice.exedescription pid process Token: SeDebugPrivilege 2848 pOwERsHeLl.exe Token: SeDebugPrivilege 4092 Revised Invoice.exe Token: SeDebugPrivilege 1420 Revised Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Revised Invoice.exepid process 1420 Revised Invoice.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 4092 wrote to memory of 2848 4092 Revised Invoice.exe pOwERsHeLl.exe PID 4092 wrote to memory of 2848 4092 Revised Invoice.exe pOwERsHeLl.exe PID 4092 wrote to memory of 2848 4092 Revised Invoice.exe pOwERsHeLl.exe PID 4092 wrote to memory of 3104 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 3104 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 3104 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe PID 4092 wrote to memory of 1420 4092 Revised Invoice.exe Revised Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised Invoice.exe.logMD5
92cc4e89e248331d85b250cbb9f93991
SHA122c4cdddfd883116fe0293e00c457b44a437684a
SHA2569ad7b0ba7effc127d6e440175a71bd1529a672fedba646ea5d041d83063fd6ab
SHA512385740de49d2d4d9d61f3ba24ad9eea7874575714fc64b765366a7f25cf6cc9d14e113adbab4bd60ee8bba8d45505cc9e73dd226aeeaf99ef9ccbcafb779f834
-
memory/1420-28-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1420-41-0x0000000005183000-0x0000000005185000-memory.dmpFilesize
8KB
-
memory/1420-40-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/1420-39-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/1420-37-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/1420-31-0x00000000739B0000-0x000000007409E000-memory.dmpFilesize
6.9MB
-
memory/1420-29-0x000000000046DDEE-mapping.dmp
-
memory/2848-11-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2848-22-0x0000000008940000-0x0000000008941000-memory.dmpFilesize
4KB
-
memory/2848-13-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/2848-14-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/2848-16-0x00000000066B2000-0x00000000066B3000-memory.dmpFilesize
4KB
-
memory/2848-15-0x00000000066B0000-0x00000000066B1000-memory.dmpFilesize
4KB
-
memory/2848-17-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/2848-18-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/2848-19-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/2848-20-0x00000000089B0000-0x00000000089B1000-memory.dmpFilesize
4KB
-
memory/2848-21-0x00000000088D0000-0x00000000088D1000-memory.dmpFilesize
4KB
-
memory/2848-12-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/2848-23-0x0000000009170000-0x0000000009171000-memory.dmpFilesize
4KB
-
memory/2848-24-0x00000000066B3000-0x00000000066B4000-memory.dmpFilesize
4KB
-
memory/2848-6-0x0000000000000000-mapping.dmp
-
memory/2848-7-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/2848-9-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/2848-10-0x0000000006CF0000-0x0000000006CF1000-memory.dmpFilesize
4KB
-
memory/4092-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/4092-8-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/4092-27-0x0000000005750000-0x000000000575F000-memory.dmpFilesize
60KB
-
memory/4092-26-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/4092-5-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/4092-3-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB