Analysis
-
max time kernel
163s -
max time network
167s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 12:03
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation TT reference po.exe
Resource
win7v20210408
General
-
Target
Payment Confirmation TT reference po.exe
-
Size
807KB
-
MD5
188d87dcba1c1d16b8779e05981c74c3
-
SHA1
7503fee46ec790d3f76df6c14a0968504adfc886
-
SHA256
402c8c6acc052173c55e48fe8228ae54db5b90be8ca3ab3d2050530b58c80b56
-
SHA512
94066967f5bd3b9b331ffbb65bf3431421b7cebf95b940a70edbafef7def654c647b9fe04e4741d6a919b58b9ed4555e81c846e113b66461b38f0b299e17abdc
Malware Config
Extracted
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3648-125-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral2/memory/3648-126-0x000000000046DCFE-mapping.dmp family_matiex behavioral2/memory/3648-133-0x0000000005250000-0x00000000052EC000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 freegeoip.app 14 freegeoip.app 11 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Confirmation TT reference po.exedescription pid process target process PID 636 set thread context of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Payment Confirmation TT reference po.exepid process 3648 Payment Confirmation TT reference po.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Payment Confirmation TT reference po.exepid process 3648 Payment Confirmation TT reference po.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment Confirmation TT reference po.exepid process 3648 Payment Confirmation TT reference po.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Confirmation TT reference po.exedescription pid process Token: SeDebugPrivilege 3648 Payment Confirmation TT reference po.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Confirmation TT reference po.exepid process 3648 Payment Confirmation TT reference po.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Confirmation TT reference po.exedescription pid process target process PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe PID 636 wrote to memory of 3648 636 Payment Confirmation TT reference po.exe Payment Confirmation TT reference po.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation TT reference po.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation TT reference po.exe.log
MD56521ad4e3d4f1d043ebbd5765b69e211
SHA14bf0fff43dc33bd2c91a470b25827432dff92d8b
SHA2565f8b317795f3079b968a3c2d0f722cba21ae79a1373b484781e3f95aed22afd6
SHA512389d1fee037e437e0f1c5e90772edf93be774f435061ba18543d34b7753239dd9ce828f6627ba43cfad690c8c84263e86d1f88e94cbff3615fa58f359178a74d