Analysis
-
max time kernel
119s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 20:47
Static task
static1
Behavioral task
behavioral1
Sample
40987654323456789098746789098765432345678.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
40987654323456789098746789098765432345678.exe
Resource
win10-en-20211208
General
-
Target
40987654323456789098746789098765432345678.exe
-
Size
464KB
-
MD5
b9a4dbf6bb05c4fe97ba541dcf555e70
-
SHA1
0de7dc340d03d0144aef6692762c482e731f1717
-
SHA256
69bae63d802887e2d994022011465c7f0bc42b1f0adefcee8dcbbfe243118b15
-
SHA512
d9682bf0d38feb0dacc75826928734bf7165e39e44d450392d50f6a6aedf5bf1adf13f9a8556007243299f0c6cae5646df8c6a2de6db5c1ebb759ec79c6b6cee
Malware Config
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1208-118-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral2/memory/1208-119-0x0000000000400000-0x0000000000482000-memory.dmp family_matiex behavioral2/memory/1208-121-0x0000000004950000-0x00000000049C2000-memory.dmp family_matiex -
Loads dropped DLL 1 IoCs
Processes:
40987654323456789098746789098765432345678.exepid process 2828 40987654323456789098746789098765432345678.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
40987654323456789098746789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 40987654323456789098746789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 40987654323456789098746789098765432345678.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 40987654323456789098746789098765432345678.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
40987654323456789098746789098765432345678.exedescription pid process target process PID 2828 set thread context of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1628 1208 WerFault.exe 40987654323456789098746789098765432345678.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
40987654323456789098746789098765432345678.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1208 40987654323456789098746789098765432345678.exe Token: SeRestorePrivilege 1628 WerFault.exe Token: SeBackupPrivilege 1628 WerFault.exe Token: SeDebugPrivilege 1628 WerFault.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
40987654323456789098746789098765432345678.exedescription pid process target process PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe PID 2828 wrote to memory of 1208 2828 40987654323456789098746789098765432345678.exe 40987654323456789098746789098765432345678.exe -
outlook_office_path 1 IoCs
Processes:
40987654323456789098746789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 40987654323456789098746789098765432345678.exe -
outlook_win_path 1 IoCs
Processes:
40987654323456789098746789098765432345678.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 40987654323456789098746789098765432345678.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40987654323456789098746789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\40987654323456789098746789098765432345678.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\40987654323456789098746789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\40987654323456789098746789098765432345678.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 16003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b520b52bb5db616d8768ad5cdb83e86d
SHA1b7e44b9c5d77059d33a84378c7cdc4c47140d56e
SHA2566c0bc5ebbe6cda42b607e181d902c4b4ac74a72a4915971e72b4b4335fbd92a2
SHA512767efc549e3b48b850e6a82fb005a793d3d0f556b94e4d2b79ef7eda5ad4144245758c89f809914d264a99ad75137d14a0f43d3cb2a665d095dc83f026c9576c