Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
03-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
Ref 2998390020 purchasing inquiry.exe
Resource
win7v20210408
General
-
Target
Ref 2998390020 purchasing inquiry.exe
-
Size
442KB
-
MD5
4db15735772716ead8b0a838c67f91c6
-
SHA1
e7770b8a8d3d092f3bd38de265890f6cf17d1406
-
SHA256
5d65c8c1dbe91d020fe6dfefe37ef17651aaead257fdd7f24aa08b9a38cbb8fc
-
SHA512
38f0d118a3dfdb2ca0a0fd64b23cde9cdd76c410b85fa1f69dd164b121a25c213ea5dff75a7ab658c57cd5b7822cc16f7e19bcdeb63d202271065147cb22cc4c
Malware Config
Extracted
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/784-126-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral2/memory/784-127-0x0000000000472BFE-mapping.dmp family_matiex -
Drops startup file 1 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url Ref 2998390020 purchasing inquiry.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exedescription pid process target process PID 3524 set thread context of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 5 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open\command Ref 2998390020 purchasing inquiry.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings Ref 2998390020 purchasing inquiry.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell Ref 2998390020 purchasing inquiry.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open Ref 2998390020 purchasing inquiry.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open\command\ Ref 2998390020 purchasing inquiry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exepid process 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe 784 Ref 2998390020 purchasing inquiry.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exepid process 784 Ref 2998390020 purchasing inquiry.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exedescription pid process Token: SeDebugPrivilege 784 Ref 2998390020 purchasing inquiry.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exepid process 784 Ref 2998390020 purchasing inquiry.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Ref 2998390020 purchasing inquiry.exeRef 2998390020 purchasing inquiry.exedescription pid process target process PID 3524 wrote to memory of 3032 3524 Ref 2998390020 purchasing inquiry.exe schtasks.exe PID 3524 wrote to memory of 3032 3524 Ref 2998390020 purchasing inquiry.exe schtasks.exe PID 3524 wrote to memory of 3032 3524 Ref 2998390020 purchasing inquiry.exe schtasks.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 3524 wrote to memory of 784 3524 Ref 2998390020 purchasing inquiry.exe Ref 2998390020 purchasing inquiry.exe PID 784 wrote to memory of 4468 784 Ref 2998390020 purchasing inquiry.exe netsh.exe PID 784 wrote to memory of 4468 784 Ref 2998390020 purchasing inquiry.exe netsh.exe PID 784 wrote to memory of 4468 784 Ref 2998390020 purchasing inquiry.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDOhzfeKq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48D2.tmp"2⤵
- Creates scheduled task(s)
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"2⤵
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:4468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ref 2998390020 purchasing inquiry.exe.log
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078