Analysis
-
max time kernel
121s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
98nMUVIMa7yoxmF.exe
Resource
win7-en-20211208
General
-
Target
98nMUVIMa7yoxmF.exe
-
Size
1.2MB
-
MD5
a060e6b79f24c737ed87a315cfb02760
-
SHA1
6e28de0375a2a8431ebf17e8858e8a5a32e5358f
-
SHA256
962a2c242f1491057e2192083e69c7a4f06be6e37a2ceb85ba43f66fd21a80c3
-
SHA512
483729e2bd5c2118d2abc81fb4d469023c372e00f2d9056d68e03c8db6200f9ea83f9a32fb73131784e292b92885c893611d2d199253e4f596ae19aa62908e95
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Signatures
-
Matiex Main Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1124-64-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1124-65-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1124-66-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1124-67-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1652-68-0x0000000002360000-0x0000000002FAA000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
98nMUVIMa7yoxmF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98nMUVIMa7yoxmF.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98nMUVIMa7yoxmF.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98nMUVIMa7yoxmF.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
98nMUVIMa7yoxmF.exedescription pid process target process PID 1412 set thread context of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exe98nMUVIMa7yoxmF.exepid process 1652 powershell.exe 1124 98nMUVIMa7yoxmF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
98nMUVIMa7yoxmF.exepowershell.exedescription pid process Token: SeDebugPrivilege 1124 98nMUVIMa7yoxmF.exe Token: SeDebugPrivilege 1652 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
98nMUVIMa7yoxmF.exepid process 1124 98nMUVIMa7yoxmF.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
98nMUVIMa7yoxmF.exe98nMUVIMa7yoxmF.exedescription pid process target process PID 1412 wrote to memory of 1652 1412 98nMUVIMa7yoxmF.exe powershell.exe PID 1412 wrote to memory of 1652 1412 98nMUVIMa7yoxmF.exe powershell.exe PID 1412 wrote to memory of 1652 1412 98nMUVIMa7yoxmF.exe powershell.exe PID 1412 wrote to memory of 1652 1412 98nMUVIMa7yoxmF.exe powershell.exe PID 1412 wrote to memory of 1712 1412 98nMUVIMa7yoxmF.exe schtasks.exe PID 1412 wrote to memory of 1712 1412 98nMUVIMa7yoxmF.exe schtasks.exe PID 1412 wrote to memory of 1712 1412 98nMUVIMa7yoxmF.exe schtasks.exe PID 1412 wrote to memory of 1712 1412 98nMUVIMa7yoxmF.exe schtasks.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1412 wrote to memory of 1124 1412 98nMUVIMa7yoxmF.exe 98nMUVIMa7yoxmF.exe PID 1124 wrote to memory of 1724 1124 98nMUVIMa7yoxmF.exe netsh.exe PID 1124 wrote to memory of 1724 1124 98nMUVIMa7yoxmF.exe netsh.exe PID 1124 wrote to memory of 1724 1124 98nMUVIMa7yoxmF.exe netsh.exe PID 1124 wrote to memory of 1724 1124 98nMUVIMa7yoxmF.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
98nMUVIMa7yoxmF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98nMUVIMa7yoxmF.exe -
outlook_win_path 1 IoCs
Processes:
98nMUVIMa7yoxmF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98nMUVIMa7yoxmF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98nMUVIMa7yoxmF.exe"C:\Users\Admin\AppData\Local\Temp\98nMUVIMa7yoxmF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YbakSbVXJKkh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YbakSbVXJKkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCF9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\98nMUVIMa7yoxmF.exe"C:\Users\Admin\AppData\Local\Temp\98nMUVIMa7yoxmF.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBCF9.tmpMD5
25e87d45e78eb678b064bf6141b55b62
SHA17f34e8a055b359557c0c1aaea95fe136ffc4c680
SHA256a9291f453c9318823df5f791f907a5e0f02e4ec97711ff47f3f1f47c33dc8069
SHA51279304ebfd869d30abb2eb3e892f9df781a221aa28ed095a863aea5e26b6b63775ec2aa0a1bb211eb9ee8907790c2378de819d0101cf6c4e173f98990a4bbb335
-
memory/1124-64-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1124-66-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1124-69-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/1124-67-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1124-65-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1124-63-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1124-62-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1412-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1412-54-0x0000000000CC0000-0x0000000000DF4000-memory.dmpFilesize
1.2MB
-
memory/1412-59-0x0000000005190000-0x0000000005298000-memory.dmpFilesize
1.0MB
-
memory/1412-56-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1412-58-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1412-57-0x0000000000BB0000-0x0000000000BBE000-memory.dmpFilesize
56KB
-
memory/1652-68-0x0000000002360000-0x0000000002FAA000-memory.dmpFilesize
12.3MB