Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 18:56
Static task
static1
Behavioral task
behavioral1
Sample
er.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
er.exe
-
Size
24KB
-
MD5
612be75dd32e0576d23e8188afd4a489
-
SHA1
4fb53cf9f43b8d6ab16577c98aa7bbba5986b296
-
SHA256
b37892c9f8b0b73345bd8f5b47faa274495f1f7b986013f62a4a005ed40b4db4
-
SHA512
c7b2e326c90f0696babfa621202924553671f75cb2cd86970c00e156b9e5d3290b9494e9ece7825f9f5b0f876ae509a1e50c43ab7b88ebeaebd5c5512643e2f8
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
ckfashion.shop - Port:
26 - Username:
[email protected] - Password:
123Mat+++
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-8-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral2/memory/3160-9-0x000000000047213E-mapping.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org 15 freegeoip.app 16 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
er.exedescription pid process target process PID 496 set thread context of 3160 496 er.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AddInProcess32.exepid process 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe 3160 AddInProcess32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AddInProcess32.exepid process 3160 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
er.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 496 er.exe Token: SeDebugPrivilege 3160 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid process 3160 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
er.exeAddInProcess32.exedescription pid process target process PID 496 wrote to memory of 4076 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 4076 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 4076 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 496 wrote to memory of 3160 496 er.exe AddInProcess32.exe PID 3160 wrote to memory of 1344 3160 AddInProcess32.exe netsh.exe PID 3160 wrote to memory of 1344 3160 AddInProcess32.exe netsh.exe PID 3160 wrote to memory of 1344 3160 AddInProcess32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\er.exe"C:\Users\Admin\AppData\Local\Temp\er.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/496-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/496-5-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/496-6-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/496-7-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/1344-18-0x0000000000000000-mapping.dmp
-
memory/3160-13-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/3160-10-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/3160-9-0x000000000047213E-mapping.dmp
-
memory/3160-14-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3160-15-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/3160-16-0x00000000068D0000-0x00000000068D1000-memory.dmpFilesize
4KB
-
memory/3160-17-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/3160-8-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3160-19-0x00000000067B0000-0x00000000067B1000-memory.dmpFilesize
4KB
-
memory/3160-20-0x0000000007050000-0x0000000007051000-memory.dmpFilesize
4KB