Analysis
-
max time kernel
102s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 10:02
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE RECEIPT NO253334.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
INVOICE RECEIPT NO253334.exe
-
Size
455KB
-
MD5
c6b4a2eb53f687988c0427cf752d429f
-
SHA1
d6b3299043950047524087631f72375b68bfc36d
-
SHA256
786a583ea35093cc588069ed3b8d4dd6dbe8e9edfe68569d3752c6da82db0de1
-
SHA512
ded0daa7672ade2aabf1695c67441c0c488b8f44170ebd438105936eeac2a4d9fb7da1aef48565bb42caf6807eb4f0157a0de43ddf4731e5d3c428e8cf034dee
Malware Config
Extracted
Family
matiex
C2
https://api.telegram.org/bot1718729558:AAFUftnJNVxfQZ7XrIUEpE1UiXHAYPc6VAQ/sendMessage?chat_id=1841930277
Signatures
-
Matiex Main Payload 1 IoCs
resource yara_rule behavioral2/memory/1032-116-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3956 set thread context of 1032 3956 INVOICE RECEIPT NO253334.exe 74 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1032 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3956 INVOICE RECEIPT NO253334.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1032 MSBuild.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3956 wrote to memory of 1032 3956 INVOICE RECEIPT NO253334.exe 74 PID 3956 wrote to memory of 1032 3956 INVOICE RECEIPT NO253334.exe 74 PID 3956 wrote to memory of 1032 3956 INVOICE RECEIPT NO253334.exe 74 PID 3956 wrote to memory of 1032 3956 INVOICE RECEIPT NO253334.exe 74 PID 1032 wrote to memory of 3404 1032 MSBuild.exe 77 PID 1032 wrote to memory of 3404 1032 MSBuild.exe 77 PID 1032 wrote to memory of 3404 1032 MSBuild.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE RECEIPT NO253334.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE RECEIPT NO253334.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE RECEIPT NO253334.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3404
-
-