Analysis
-
max time kernel
175s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 01:43
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-en-20220113
General
-
Target
New Order.exe
-
Size
699KB
-
MD5
973f5e36b9bda2af1fc4ac6681d6c352
-
SHA1
86de1a7dd22248e40e724acf6abe3aa78815e13c
-
SHA256
9a7ead1cdae41a3f396acb728cfd16e137e98070690f2ac90b5f1445474bec8c
-
SHA512
865f8ecc9b607a049c4e613bfff65906cab0a3d1425b92ef0931a33d89618c9cf9b5febca3e6229dc3b311d0bdc19b82bd8bcb8e9dc1c89fc3f881f1085333fe
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.cleo2solutions.com.au - Port:
25 - Username:
[email protected] - Password:
Enter@123
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3472-369-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation New Order.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 75 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 2480 set thread context of 3472 2480 New Order.exe RegSvcs.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exeRegSvcs.exedescription pid process Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeDebugPrivilege 3472 RegSvcs.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe Token: SeBackupPrivilege 2576 TiWorker.exe Token: SeRestorePrivilege 2576 TiWorker.exe Token: SeSecurityPrivilege 2576 TiWorker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
New Order.exedescription pid process target process PID 2480 wrote to memory of 1160 2480 New Order.exe schtasks.exe PID 2480 wrote to memory of 1160 2480 New Order.exe schtasks.exe PID 2480 wrote to memory of 1160 2480 New Order.exe schtasks.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe PID 2480 wrote to memory of 3472 2480 New Order.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StwggOx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD90.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD90.tmpMD5
af3bbe15beeb5b924e4f571bd470604f
SHA14a0731b8d3b81fa005b6fb11cd779d99f818c4cb
SHA2569f9ed71ee4ac1984c8462673dbcc64611e4e7dcf75bd0eb26042dfd8b54e963d
SHA512770f6825e3952e09ec69af0c576e3ed4c4dd5da9cc84e1f55eaf0530bd4deb1fc53b332ac7946d4774a8ebce22f56200e7c98b3fc4e292c5fa736cf4ded35baa
-
memory/2480-367-0x0000000009140000-0x00000000091DC000-memory.dmpFilesize
624KB
-
memory/2480-135-0x0000000005CF0000-0x0000000006294000-memory.dmpFilesize
5.6MB
-
memory/2480-136-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/2480-137-0x0000000005770000-0x000000000577A000-memory.dmpFilesize
40KB
-
memory/2480-138-0x0000000005740000-0x0000000005CE4000-memory.dmpFilesize
5.6MB
-
memory/2480-134-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/2480-133-0x0000000000D00000-0x0000000000DB4000-memory.dmpFilesize
720KB
-
memory/2524-366-0x0000020ED9F90000-0x0000020ED9F94000-memory.dmpFilesize
16KB
-
memory/3472-369-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/3472-370-0x00000000745E0000-0x0000000074D90000-memory.dmpFilesize
7.7MB
-
memory/3472-371-0x0000000005820000-0x0000000005886000-memory.dmpFilesize
408KB
-
memory/3472-372-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/3736-140-0x0000011CE53A0000-0x0000011CE53B0000-memory.dmpFilesize
64KB
-
memory/3736-139-0x0000011CE5340000-0x0000011CE5350000-memory.dmpFilesize
64KB