Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 18:56
Static task
static1
Behavioral task
behavioral1
Sample
er.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
er.exe
-
Size
24KB
-
MD5
612be75dd32e0576d23e8188afd4a489
-
SHA1
4fb53cf9f43b8d6ab16577c98aa7bbba5986b296
-
SHA256
b37892c9f8b0b73345bd8f5b47faa274495f1f7b986013f62a4a005ed40b4db4
-
SHA512
c7b2e326c90f0696babfa621202924553671f75cb2cd86970c00e156b9e5d3290b9494e9ece7825f9f5b0f876ae509a1e50c43ab7b88ebeaebd5c5512643e2f8
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
ckfashion.shop - Port:
26 - Username:
[email protected] - Password:
123Mat+++
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/968-9-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/968-10-0x000000000047213E-mapping.dmp family_matiex behavioral1/memory/968-12-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 6 848 rundll32.exe 8 848 rundll32.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 checkip.dyndns.org 18 freegeoip.app 19 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
er.exedescription pid process target process PID 1872 set thread context of 968 1872 er.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe -
Processes:
er.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 er.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 er.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AddInProcess32.exepid process 968 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
er.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1872 er.exe Token: SeDebugPrivilege 968 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
er.exedescription pid process target process PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 848 1872 er.exe rundll32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe PID 1872 wrote to memory of 968 1872 er.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\er.exe"C:\Users\Admin\AppData\Local\Temp\er.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;18722⤵
- Blocklisted process makes network request
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-3-0x0000000000000000-mapping.dmp
-
memory/968-9-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/968-10-0x000000000047213E-mapping.dmp
-
memory/968-11-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/968-12-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/968-14-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/1872-2-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1872-5-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1872-6-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/1872-8-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB