Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
07-10-2021 04:38
Static task
static1
Behavioral task
behavioral1
Sample
Products Details and Order reference.exe
Resource
win7-en-20210920
General
-
Target
Products Details and Order reference.exe
-
Size
591KB
-
MD5
4107bb08f0c20c1bafd7839f1bf77a8b
-
SHA1
ba4daabff9037990d45c4cfafe4690a7fe2ddbfb
-
SHA256
dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f
-
SHA512
88b10d5719e82d69d80e2e9264b0e0c86bba686d127fcd7366fb0be5c71846c8a5013b4a6c96ed750242a9f88e5bd3504e9705580024ecf1106eea9b9b7dfe60
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.thts.vn - Port:
25 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/952-59-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex behavioral1/memory/952-60-0x0000000000472BFE-mapping.dmp family_matiex behavioral1/memory/952-61-0x0000000000400000-0x0000000000478000-memory.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 4 checkip.dyndns.org 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Products Details and Order reference.exedescription pid process target process PID 1116 set thread context of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Products Details and Order reference.exepid process 952 Products Details and Order reference.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Products Details and Order reference.exedescription pid process Token: SeDebugPrivilege 952 Products Details and Order reference.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Products Details and Order reference.exedescription pid process target process PID 1116 wrote to memory of 1768 1116 Products Details and Order reference.exe schtasks.exe PID 1116 wrote to memory of 1768 1116 Products Details and Order reference.exe schtasks.exe PID 1116 wrote to memory of 1768 1116 Products Details and Order reference.exe schtasks.exe PID 1116 wrote to memory of 1768 1116 Products Details and Order reference.exe schtasks.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe PID 1116 wrote to memory of 952 1116 Products Details and Order reference.exe Products Details and Order reference.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UKEBHvwzzTPD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6612.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-59-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-60-0x0000000000472BFE-mapping.dmp
-
memory/952-61-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-63-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1116-53-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1116-55-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1116-56-0x0000000000280000-0x000000000028A000-memory.dmpFilesize
40KB
-
memory/1116-57-0x0000000005670000-0x0000000005704000-memory.dmpFilesize
592KB
-
memory/1768-58-0x0000000000000000-mapping.dmp