Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
467890987654323456789098765432345678.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
467890987654323456789098765432345678.exe
Resource
win10-en-20211208
General
-
Target
467890987654323456789098765432345678.exe
-
Size
299KB
-
MD5
e04c69c79193ccaac508fe7279a1804f
-
SHA1
75930a5d0e35815f213475e7af644f19f4ed14bf
-
SHA256
56f473eb624769a6eb77762eba09ecfbb6e25f513e4280207de5ae06663e5452
-
SHA512
fcf2671f30495f16fe2a8399f2536bb2e193ea774aa5e0f6f30f861eb0f145a43217522ddfb8af401cb41d92f5043cf8b9f6580aaff80006525b6cd5810674c9
Malware Config
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/524-56-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral1/memory/524-58-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral1/memory/524-60-0x00000000045C0000-0x0000000004632000-memory.dmp family_matiex -
Loads dropped DLL 1 IoCs
Processes:
467890987654323456789098765432345678.exepid process 1628 467890987654323456789098765432345678.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription pid process target process PID 1628 set thread context of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 524 WerFault.exe 467890987654323456789098765432345678.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1100 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
467890987654323456789098765432345678.exeWerFault.exedescription pid process Token: SeDebugPrivilege 524 467890987654323456789098765432345678.exe Token: SeDebugPrivilege 1100 WerFault.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
467890987654323456789098765432345678.exe467890987654323456789098765432345678.exedescription pid process target process PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 1628 wrote to memory of 524 1628 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 524 wrote to memory of 1100 524 467890987654323456789098765432345678.exe WerFault.exe PID 524 wrote to memory of 1100 524 467890987654323456789098765432345678.exe WerFault.exe PID 524 wrote to memory of 1100 524 467890987654323456789098765432345678.exe WerFault.exe PID 524 wrote to memory of 1100 524 467890987654323456789098765432345678.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe -
outlook_win_path 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 11523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyCC08.tmp\gememaop.dllMD5
cea2c1f8c33480b4194e50513bda2117
SHA1edad90b4aaff17a6cad7577a64d607750635275e
SHA256dcc77f4cf402ac1bb45d437ea154dec3a509bba62cc9c23833d262d3152a5e06
SHA51237c49bed21825573f5f88433d7b844ce4c10c31c0fc15cd690f1b4eeeecf3c4192b1639f3974e22da799f275a0af457f817300c4be3f52f102105a2ddf571e85
-
memory/524-56-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/524-58-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/524-59-0x0000000004581000-0x0000000004582000-memory.dmpFilesize
4KB
-
memory/524-60-0x00000000045C0000-0x0000000004632000-memory.dmpFilesize
456KB
-
memory/524-61-0x0000000004582000-0x0000000004583000-memory.dmpFilesize
4KB
-
memory/524-62-0x0000000004583000-0x0000000004584000-memory.dmpFilesize
4KB
-
memory/524-63-0x0000000004584000-0x0000000004585000-memory.dmpFilesize
4KB
-
memory/1100-65-0x00000000004A0000-0x00000000004D2000-memory.dmpFilesize
200KB
-
memory/1628-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB