Analysis
-
max time kernel
67s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 19:01
Static task
static1
Behavioral task
behavioral1
Sample
QYD Quotation 20210702.exe
Resource
win7v20210410
General
-
Target
QYD Quotation 20210702.exe
-
Size
1.1MB
-
MD5
494fc5838b2ff1381ab5d806cf7820a2
-
SHA1
d7ec8bb026fe526535ed556936ec057409fb00fa
-
SHA256
e58284d351b21f134a31fdccd3e53f952133f671892da8a86347d7b930399f28
-
SHA512
1c18d8524f0aecd4b4dfb2518de69c94362c23c60b3bc2e7229e6b06a9ed6e559212d97f740f4675c028cc5c5f9ab12b51d21589a42656232e207d2866120821
Malware Config
Extracted
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
sales01@mtlvn.com.vn - Password:
123luongngan1989
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
sales01@mtlvn.com.vn - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/340-68-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/340-69-0x000000000046E07E-mapping.dmp family_matiex behavioral1/memory/340-70-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QYD Quotation 20210702.exedescription pid process target process PID 1872 set thread context of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
QYD Quotation 20210702.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 QYD Quotation 20210702.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 QYD Quotation 20210702.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
QYD Quotation 20210702.exeQYD Quotation 20210702.exepid process 1872 QYD Quotation 20210702.exe 1872 QYD Quotation 20210702.exe 1872 QYD Quotation 20210702.exe 340 QYD Quotation 20210702.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
QYD Quotation 20210702.exepid process 340 QYD Quotation 20210702.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
QYD Quotation 20210702.exeQYD Quotation 20210702.exedescription pid process Token: SeDebugPrivilege 1872 QYD Quotation 20210702.exe Token: SeDebugPrivilege 340 QYD Quotation 20210702.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
QYD Quotation 20210702.exeQYD Quotation 20210702.exedescription pid process target process PID 1872 wrote to memory of 1652 1872 QYD Quotation 20210702.exe schtasks.exe PID 1872 wrote to memory of 1652 1872 QYD Quotation 20210702.exe schtasks.exe PID 1872 wrote to memory of 1652 1872 QYD Quotation 20210702.exe schtasks.exe PID 1872 wrote to memory of 1652 1872 QYD Quotation 20210702.exe schtasks.exe PID 1872 wrote to memory of 1056 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 1056 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 1056 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 1056 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 1872 wrote to memory of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 340 wrote to memory of 1532 340 QYD Quotation 20210702.exe netsh.exe PID 340 wrote to memory of 1532 340 QYD Quotation 20210702.exe netsh.exe PID 340 wrote to memory of 1532 340 QYD Quotation 20210702.exe netsh.exe PID 340 wrote to memory of 1532 340 QYD Quotation 20210702.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DQuUJXrfqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC08.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"{path}"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAC08.tmpMD5
506ffc1b90f51f0612daf501d0e38077
SHA133127a3197685752ed8e32c7fbef1c12e952f3c6
SHA256670f5c9f27accf4bdaf4cbbc23116a649fdc81ed0da456e20b0bc285754a7f38
SHA51293647008e43f34d55c0e10e6527b84e042942772a76691246bc21047fb87e7d5f66b85e2e25f39b7962de973656521d43f86d9a79ea5e387fc65ba922221ed2e
-
memory/340-70-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/340-68-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/340-69-0x000000000046E07E-mapping.dmp
-
memory/340-72-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1532-73-0x0000000000000000-mapping.dmp
-
memory/1532-74-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1652-66-0x0000000000000000-mapping.dmp
-
memory/1872-63-0x00000000004F0000-0x00000000004F2000-memory.dmpFilesize
8KB
-
memory/1872-64-0x0000000005E40000-0x0000000005EF6000-memory.dmpFilesize
728KB
-
memory/1872-65-0x0000000007F10000-0x0000000007FBA000-memory.dmpFilesize
680KB
-
memory/1872-62-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/1872-60-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB