Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
467890987654323456789098765432345678.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
467890987654323456789098765432345678.exe
Resource
win10-en-20211208
General
-
Target
467890987654323456789098765432345678.exe
-
Size
299KB
-
MD5
e04c69c79193ccaac508fe7279a1804f
-
SHA1
75930a5d0e35815f213475e7af644f19f4ed14bf
-
SHA256
56f473eb624769a6eb77762eba09ecfbb6e25f513e4280207de5ae06663e5452
-
SHA512
fcf2671f30495f16fe2a8399f2536bb2e193ea774aa5e0f6f30f861eb0f145a43217522ddfb8af401cb41d92f5043cf8b9f6580aaff80006525b6cd5810674c9
Malware Config
Extracted
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_!
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2780-116-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral2/memory/2780-117-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral2/memory/2780-118-0x0000000004860000-0x00000000048D2000-memory.dmp family_matiex -
Loads dropped DLL 1 IoCs
Processes:
467890987654323456789098765432345678.exepid process 2764 467890987654323456789098765432345678.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 freegeoip.app 24 freegeoip.app 12 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription pid process target process PID 2764 set thread context of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
467890987654323456789098765432345678.exepid process 2780 467890987654323456789098765432345678.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription pid process Token: SeDebugPrivilege 2780 467890987654323456789098765432345678.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
467890987654323456789098765432345678.exedescription pid process target process PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe PID 2764 wrote to memory of 2780 2764 467890987654323456789098765432345678.exe 467890987654323456789098765432345678.exe -
outlook_office_path 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe -
outlook_win_path 1 IoCs
Processes:
467890987654323456789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 467890987654323456789098765432345678.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspA904.tmp\gememaop.dllMD5
cea2c1f8c33480b4194e50513bda2117
SHA1edad90b4aaff17a6cad7577a64d607750635275e
SHA256dcc77f4cf402ac1bb45d437ea154dec3a509bba62cc9c23833d262d3152a5e06
SHA51237c49bed21825573f5f88433d7b844ce4c10c31c0fc15cd690f1b4eeeecf3c4192b1639f3974e22da799f275a0af457f817300c4be3f52f102105a2ddf571e85
-
memory/2780-116-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2780-117-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2780-118-0x0000000004860000-0x00000000048D2000-memory.dmpFilesize
456KB
-
memory/2780-119-0x00000000049C0000-0x0000000004A5C000-memory.dmpFilesize
624KB
-
memory/2780-120-0x0000000004A60000-0x0000000004F5E000-memory.dmpFilesize
5.0MB
-
memory/2780-121-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/2780-122-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/2780-123-0x00000000023B2000-0x00000000023B3000-memory.dmpFilesize
4KB
-
memory/2780-124-0x00000000023B3000-0x00000000023B4000-memory.dmpFilesize
4KB
-
memory/2780-125-0x0000000002360000-0x00000000023B5000-memory.dmpFilesize
340KB
-
memory/2780-126-0x0000000005DB0000-0x0000000005F72000-memory.dmpFilesize
1.8MB
-
memory/2780-127-0x0000000006000000-0x0000000006092000-memory.dmpFilesize
584KB
-
memory/2780-128-0x00000000060D0000-0x00000000060DA000-memory.dmpFilesize
40KB