Analysis
-
max time kernel
124s -
max time network
178s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-09-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation TT reference po.exe
Resource
win7v20210408
General
-
Target
Payment Confirmation TT reference po.exe
-
Size
807KB
-
MD5
188d87dcba1c1d16b8779e05981c74c3
-
SHA1
7503fee46ec790d3f76df6c14a0968504adfc886
-
SHA256
402c8c6acc052173c55e48fe8228ae54db5b90be8ca3ab3d2050530b58c80b56
-
SHA512
94066967f5bd3b9b331ffbb65bf3431421b7cebf95b940a70edbafef7def654c647b9fe04e4741d6a919b58b9ed4555e81c846e113b66461b38f0b299e17abdc
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1664-66-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1664-67-0x000000000046DCFE-mapping.dmp family_matiex behavioral1/memory/1664-68-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Confirmation TT reference po.exedescription pid process target process PID 2028 set thread context of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1676 1664 WerFault.exe Payment Confirmation TT reference po.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Payment Confirmation TT reference po.exeWerFault.exepid process 2028 Payment Confirmation TT reference po.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe 1676 WerFault.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment Confirmation TT reference po.exepid process 1664 Payment Confirmation TT reference po.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment Confirmation TT reference po.exePayment Confirmation TT reference po.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2028 Payment Confirmation TT reference po.exe Token: SeDebugPrivilege 1664 Payment Confirmation TT reference po.exe Token: SeDebugPrivilege 1676 WerFault.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment Confirmation TT reference po.exePayment Confirmation TT reference po.exedescription pid process target process PID 2028 wrote to memory of 556 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 556 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 556 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 556 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 2028 wrote to memory of 1664 2028 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 1664 wrote to memory of 1676 1664 Payment Confirmation TT reference po.exe WerFault.exe PID 1664 wrote to memory of 1676 1664 Payment Confirmation TT reference po.exe WerFault.exe PID 1664 wrote to memory of 1676 1664 Payment Confirmation TT reference po.exe WerFault.exe PID 1664 wrote to memory of 1676 1664 Payment Confirmation TT reference po.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 12603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-66-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1664-67-0x000000000046DCFE-mapping.dmp
-
memory/1664-68-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1664-70-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/1676-71-0x0000000000000000-mapping.dmp
-
memory/1676-72-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/2028-60-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/2028-62-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2028-63-0x0000000000320000-0x0000000000327000-memory.dmpFilesize
28KB
-
memory/2028-64-0x0000000005080000-0x00000000050DB000-memory.dmpFilesize
364KB
-
memory/2028-65-0x00000000050F0000-0x0000000005163000-memory.dmpFilesize
460KB