Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 19:01
Static task
static1
Behavioral task
behavioral1
Sample
QYD Quotation 20210702.exe
Resource
win7v20210410
General
-
Target
QYD Quotation 20210702.exe
-
Size
1.1MB
-
MD5
494fc5838b2ff1381ab5d806cf7820a2
-
SHA1
d7ec8bb026fe526535ed556936ec057409fb00fa
-
SHA256
e58284d351b21f134a31fdccd3e53f952133f671892da8a86347d7b930399f28
-
SHA512
1c18d8524f0aecd4b4dfb2518de69c94362c23c60b3bc2e7229e6b06a9ed6e559212d97f740f4675c028cc5c5f9ab12b51d21589a42656232e207d2866120821
Malware Config
Extracted
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3956-126-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral2/memory/3956-127-0x000000000046E07E-mapping.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 freegeoip.app 17 freegeoip.app 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QYD Quotation 20210702.exedescription pid process target process PID 3560 set thread context of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 5 IoCs
Processes:
QYD Quotation 20210702.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ms-settings\shell QYD Quotation 20210702.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ms-settings\shell\open QYD Quotation 20210702.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ms-settings\shell\open\command\ QYD Quotation 20210702.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ms-settings\shell\open\command QYD Quotation 20210702.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ms-settings QYD Quotation 20210702.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
QYD Quotation 20210702.exepid process 3956 QYD Quotation 20210702.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
QYD Quotation 20210702.exepid process 3956 QYD Quotation 20210702.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
QYD Quotation 20210702.exeQYD Quotation 20210702.exedescription pid process Token: SeDebugPrivilege 3560 QYD Quotation 20210702.exe Token: SeDebugPrivilege 3956 QYD Quotation 20210702.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
QYD Quotation 20210702.exeQYD Quotation 20210702.exedescription pid process target process PID 3560 wrote to memory of 2376 3560 QYD Quotation 20210702.exe schtasks.exe PID 3560 wrote to memory of 2376 3560 QYD Quotation 20210702.exe schtasks.exe PID 3560 wrote to memory of 2376 3560 QYD Quotation 20210702.exe schtasks.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3560 wrote to memory of 3956 3560 QYD Quotation 20210702.exe QYD Quotation 20210702.exe PID 3956 wrote to memory of 1308 3956 QYD Quotation 20210702.exe netsh.exe PID 3956 wrote to memory of 1308 3956 QYD Quotation 20210702.exe netsh.exe PID 3956 wrote to memory of 1308 3956 QYD Quotation 20210702.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DQuUJXrfqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8581.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"{path}"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QYD Quotation 20210702.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Temp\tmp8581.tmpMD5
6fce50d62d6530fc6a9352c63f315ad4
SHA1d7260f7eb250291e331ec7f1ef4e7a7553bfc020
SHA256ccdfefb4869aca36db5e0a912696ee94a4628f2a3f204294d491c99986a6497d
SHA512b33d8693ed5bcd32aa1ff7c7fb71154fec6d913b45f63b25e2547adeaba7b9f61aa7aac6a0053cccc73959b5d5c2ef4314bc7723ecc72731a935f5b4178dab96
-
memory/1308-135-0x0000000000000000-mapping.dmp
-
memory/2376-124-0x0000000000000000-mapping.dmp
-
memory/3560-123-0x000000000ABE0000-0x000000000AC8A000-memory.dmpFilesize
680KB
-
memory/3560-117-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3560-121-0x00000000080D0000-0x00000000080D1000-memory.dmpFilesize
4KB
-
memory/3560-122-0x0000000006770000-0x0000000006826000-memory.dmpFilesize
728KB
-
memory/3560-114-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/3560-119-0x0000000004A10000-0x0000000004AA2000-memory.dmpFilesize
584KB
-
memory/3560-118-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/3560-120-0x0000000008020000-0x0000000008022000-memory.dmpFilesize
8KB
-
memory/3560-116-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3956-126-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/3956-133-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3956-134-0x0000000001970000-0x0000000001971000-memory.dmpFilesize
4KB
-
memory/3956-127-0x000000000046E07E-mapping.dmp
-
memory/3956-136-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB