Analysis
-
max time kernel
101s -
max time network
107s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 15:25
Static task
static1
Behavioral task
behavioral1
Sample
MUYR09080.exe
Resource
win7-en-20211208
General
-
Target
MUYR09080.exe
-
Size
851KB
-
MD5
4138495cd942b253246d9bd965760aea
-
SHA1
fb80d388264dd3bd07b9a815958970f495e01021
-
SHA256
446a9c4fe226595e6a506d2a27c4b433b5651f9f8110ab289371f080a596a779
-
SHA512
a6c6fe65f34d53d0d8308baeb0ba022512ef9a6ac52e4f56b44eebd11833e37889f694353b0170b5a44df3391e59d23fe59782e97430d639c6bab9462f84165a
Malware Config
Extracted
matiex
https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-59-0x0000000000400000-0x0000000000484000-memory.dmp family_matiex behavioral1/memory/1516-61-0x0000000001F70000-0x0000000001FE6000-memory.dmp family_matiex -
Loads dropped DLL 1 IoCs
Processes:
MUYR09080.exepid process 1136 MUYR09080.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org 7 freegeoip.app 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MUYR09080.exedescription pid process target process PID 1136 set thread context of 1516 1136 MUYR09080.exe MUYR09080.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MUYR09080.exepid process 1516 MUYR09080.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MUYR09080.exepid process 1136 MUYR09080.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MUYR09080.exedescription pid process Token: SeDebugPrivilege 1516 MUYR09080.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
MUYR09080.exedescription pid process target process PID 1136 wrote to memory of 1516 1136 MUYR09080.exe MUYR09080.exe PID 1136 wrote to memory of 1516 1136 MUYR09080.exe MUYR09080.exe PID 1136 wrote to memory of 1516 1136 MUYR09080.exe MUYR09080.exe PID 1136 wrote to memory of 1516 1136 MUYR09080.exe MUYR09080.exe PID 1136 wrote to memory of 1516 1136 MUYR09080.exe MUYR09080.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsqC513.tmp\iga871x4ew8c.dllMD5
7198b469fed0af13eabf0cd4031981d5
SHA1b1bde0b35d8d0cfad7134e057124c3c607f8c80e
SHA256b475fabe27e8006a3e4eb34ed5e4a49e2ef69b494c6b96e0abd8dddad3711858
SHA51272c9fbd68463b1b6fe28503088bf8fca086cd4e9323c1d7df09ef45a37ccf34f79bc80eb97d1ebe7adcb4758b824b38e844f02d7198618059182ab3fb16e1fc7
-
memory/1136-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/1136-57-0x0000000000810000-0x0000000000815000-memory.dmpFilesize
20KB
-
memory/1516-59-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1516-60-0x0000000004751000-0x0000000004752000-memory.dmpFilesize
4KB
-
memory/1516-61-0x0000000001F70000-0x0000000001FE6000-memory.dmpFilesize
472KB
-
memory/1516-62-0x0000000004752000-0x0000000004753000-memory.dmpFilesize
4KB
-
memory/1516-64-0x0000000004754000-0x0000000004755000-memory.dmpFilesize
4KB
-
memory/1516-63-0x0000000004753000-0x0000000004754000-memory.dmpFilesize
4KB