Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:00
General
-
Target
467890987654323456789098765432345678.exe
-
Size
299KB
-
MD5
e04c69c79193ccaac508fe7279a1804f
-
SHA1
75930a5d0e35815f213475e7af644f19f4ed14bf
-
SHA256
56f473eb624769a6eb77762eba09ecfbb6e25f513e4280207de5ae06663e5452
-
SHA512
fcf2671f30495f16fe2a8399f2536bb2e193ea774aa5e0f6f30f861eb0f145a43217522ddfb8af401cb41d92f5043cf8b9f6580aaff80006525b6cd5810674c9
Malware Config
Extracted
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_!
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspA904.tmp\gememaop.dllMD5
cea2c1f8c33480b4194e50513bda2117
SHA1edad90b4aaff17a6cad7577a64d607750635275e
SHA256dcc77f4cf402ac1bb45d437ea154dec3a509bba62cc9c23833d262d3152a5e06
SHA51237c49bed21825573f5f88433d7b844ce4c10c31c0fc15cd690f1b4eeeecf3c4192b1639f3974e22da799f275a0af457f817300c4be3f52f102105a2ddf571e85
-
memory/2780-116-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2780-117-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2780-118-0x0000000004860000-0x00000000048D2000-memory.dmpFilesize
456KB
-
memory/2780-119-0x00000000049C0000-0x0000000004A5C000-memory.dmpFilesize
624KB
-
memory/2780-120-0x0000000004A60000-0x0000000004F5E000-memory.dmpFilesize
5.0MB
-
memory/2780-121-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/2780-122-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/2780-123-0x00000000023B2000-0x00000000023B3000-memory.dmpFilesize
4KB
-
memory/2780-124-0x00000000023B3000-0x00000000023B4000-memory.dmpFilesize
4KB
-
memory/2780-125-0x0000000002360000-0x00000000023B5000-memory.dmpFilesize
340KB
-
memory/2780-126-0x0000000005DB0000-0x0000000005F72000-memory.dmpFilesize
1.8MB
-
memory/2780-127-0x0000000006000000-0x0000000006092000-memory.dmpFilesize
584KB
-
memory/2780-128-0x00000000060D0000-0x00000000060DA000-memory.dmpFilesize
40KB