Analysis
-
max time kernel
124s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 20:48
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA-9vUVHazo9RuSJpH.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
FACTURA-9vUVHazo9RuSJpH.exe
Resource
win10-en-20211208
General
-
Target
FACTURA-9vUVHazo9RuSJpH.exe
-
Size
1.1MB
-
MD5
92955191ebfb02ef2f3fe33dbd6094ca
-
SHA1
2fecac06772d210574f44bfef91aeae8f0860a31
-
SHA256
c744fe5aa2ab646ac1a0583348316b13bf7ad12435edeb658aa5e0f09e494b89
-
SHA512
77d0354e0ba06d826810e50bd78898da79efe102ece81eac3fdd46cd60c57f8c9192ea805f945c1d76181d524eb859409bcc82ea7143a5d4f8a210e737540b01
Malware Config
Extracted
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_!
Extracted
matiex
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_! - Email To:
[email protected]
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-126-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA-9vUVHazo9RuSJpH.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA-9vUVHazo9RuSJpH.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA-9vUVHazo9RuSJpH.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 checkip.dyndns.org 38 freegeoip.app 39 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exedescription pid Process procid_target PID 1188 set thread context of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exeFACTURA-9vUVHazo9RuSJpH.exepid Process 1188 FACTURA-9vUVHazo9RuSJpH.exe 1188 FACTURA-9vUVHazo9RuSJpH.exe 1420 FACTURA-9vUVHazo9RuSJpH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exeFACTURA-9vUVHazo9RuSJpH.exedescription pid Process Token: SeDebugPrivilege 1188 FACTURA-9vUVHazo9RuSJpH.exe Token: SeDebugPrivilege 1420 FACTURA-9vUVHazo9RuSJpH.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exedescription pid Process procid_target PID 1188 wrote to memory of 1500 1188 FACTURA-9vUVHazo9RuSJpH.exe 69 PID 1188 wrote to memory of 1500 1188 FACTURA-9vUVHazo9RuSJpH.exe 69 PID 1188 wrote to memory of 1500 1188 FACTURA-9vUVHazo9RuSJpH.exe 69 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 PID 1188 wrote to memory of 1420 1188 FACTURA-9vUVHazo9RuSJpH.exe 70 -
outlook_office_path 1 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA-9vUVHazo9RuSJpH.exe -
outlook_win_path 1 IoCs
Processes:
FACTURA-9vUVHazo9RuSJpH.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA-9vUVHazo9RuSJpH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"2⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-9vUVHazo9RuSJpH.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1420
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078