Analysis
-
max time kernel
170s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07-02-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
MOT-09800080000.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
MOT-09800080000.exe
Resource
win10v2004-en-20220113
General
-
Target
MOT-09800080000.exe
-
Size
525KB
-
MD5
bda2eaf80ab5ed6fd1128d4ae02e2f1b
-
SHA1
12aa26befa0055398748ae12ae0d04f286c565cb
-
SHA256
ffcf5fb0cd579ec9b9ce49e2b1eafc62f89fdcb5d418e338cd6dab310a241a2d
-
SHA512
a34e9c827d29efe8dc44296ee3a1dbd2daa59594125372099d6f1219a455c6d5de934848ca098dee50d0f7dfe09ed1db0337b0f1d7063e94749b24dd4b616087
Malware Config
Extracted
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1736-133-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Loads dropped DLL 2 IoCs
Processes:
MOT-09800080000.exepid process 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MOT-09800080000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" MOT-09800080000.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 checkip.dyndns.org 46 freegeoip.app 47 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MOT-09800080000.exedescription pid process target process PID 1952 set thread context of 1736 1952 MOT-09800080000.exe MSBuild.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
MOT-09800080000.exeMSBuild.exepid process 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1952 MOT-09800080000.exe 1736 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MOT-09800080000.exepid process 1952 MOT-09800080000.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
MSBuild.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1736 MSBuild.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe Token: SeBackupPrivilege 2052 TiWorker.exe Token: SeRestorePrivilege 2052 TiWorker.exe Token: SeSecurityPrivilege 2052 TiWorker.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
MOT-09800080000.exeMSBuild.exedescription pid process target process PID 1952 wrote to memory of 1736 1952 MOT-09800080000.exe MSBuild.exe PID 1952 wrote to memory of 1736 1952 MOT-09800080000.exe MSBuild.exe PID 1952 wrote to memory of 1736 1952 MOT-09800080000.exe MSBuild.exe PID 1952 wrote to memory of 1736 1952 MOT-09800080000.exe MSBuild.exe PID 1736 wrote to memory of 3696 1736 MSBuild.exe netsh.exe PID 1736 wrote to memory of 3696 1736 MSBuild.exe netsh.exe PID 1736 wrote to memory of 3696 1736 MSBuild.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsu23CD.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
C:\Users\Admin\AppData\Local\Temp\oird.dllMD5
422cbf45447722c4464030bc4b4b69d3
SHA1e49c2c126d1a1ff1c5a512f8419d763d6a19c8d1
SHA2568b58260e509fe875f2efd4920b4ab64ded30f70804d12a073237f2d796448b7f
SHA5120f7bf833cccca324be767c6eb972b1898dea5027ceb207b976d4c25198209f648c54bb140b7dfb47757256eb86076e07a78c39a86e73d25b4fa331ab90e65320
-
memory/1736-136-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/1736-133-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1736-134-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/1736-135-0x0000000005690000-0x0000000005C34000-memory.dmpFilesize
5.6MB
-
memory/1736-137-0x0000000005150000-0x00000000051B6000-memory.dmpFilesize
408KB
-
memory/1736-138-0x00000000050E0000-0x0000000005684000-memory.dmpFilesize
5.6MB
-
memory/1736-139-0x0000000006730000-0x00000000068F2000-memory.dmpFilesize
1.8MB
-
memory/1736-152-0x0000000006600000-0x0000000006692000-memory.dmpFilesize
584KB
-
memory/1736-154-0x00000000065D0000-0x00000000065DA000-memory.dmpFilesize
40KB
-
memory/1952-132-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB
-
memory/2624-153-0x000001CE3CF40000-0x000001CE3CF44000-memory.dmpFilesize
16KB