Overview

overview

10

Static

static

New Order.exe

windows7_x64

1

New Order.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    175s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-02-2022 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    699KB

  • MD5

    973f5e36b9bda2af1fc4ac6681d6c352

  • SHA1

    86de1a7dd22248e40e724acf6abe3aa78815e13c

  • SHA256

    9a7ead1cdae41a3f396acb728cfd16e137e98070690f2ac90b5f1445474bec8c

  • SHA512

    865f8ecc9b607a049c4e613bfff65906cab0a3d1425b92ef0931a33d89618c9cf9b5febca3e6229dc3b311d0bdc19b82bd8bcb8e9dc1c89fc3f881f1085333fe

Score
10/10
matiexcollectionkeyloggerstealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    mail.cleo2solutions.com.au
  • Port:
    25
  • Username:
    [email protected]
  • Password:
    Enter@123

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StwggOx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD90.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3472
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:3736
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2524
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD90.tmp
    MD5

    af3bbe15beeb5b924e4f571bd470604f

    SHA1

    4a0731b8d3b81fa005b6fb11cd779d99f818c4cb

    SHA256

    9f9ed71ee4ac1984c8462673dbcc64611e4e7dcf75bd0eb26042dfd8b54e963d

    SHA512

    770f6825e3952e09ec69af0c576e3ed4c4dd5da9cc84e1f55eaf0530bd4deb1fc53b332ac7946d4774a8ebce22f56200e7c98b3fc4e292c5fa736cf4ded35baa

    Download Submit
  • memory/2480-367-0x0000000009140000-0x00000000091DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2480-135-0x0000000005CF0000-0x0000000006294000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2480-136-0x00000000057E0000-0x0000000005872000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2480-137-0x0000000005770000-0x000000000577A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2480-138-0x0000000005740000-0x0000000005CE4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2480-134-0x0000000074540000-0x0000000074CF0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2480-133-0x0000000000D00000-0x0000000000DB4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/2524-366-0x0000020ED9F90000-0x0000020ED9F94000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3472-369-0x0000000000400000-0x0000000000472000-memory.dmp
    Filesize

    456KB

    Download
  • memory/3472-370-0x00000000745E0000-0x0000000074D90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3472-371-0x0000000005820000-0x0000000005886000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3472-372-0x00000000057B0000-0x0000000005D54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3736-140-0x0000011CE53A0000-0x0000011CE53B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3736-139-0x0000011CE5340000-0x0000011CE5350000-memory.dmp
    Filesize

    64KB

    Download