Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-02-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
LlW4ErKRQ3PVoGb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
LlW4ErKRQ3PVoGb.exe
Resource
win10v2004-en-20220113
General
-
Target
LlW4ErKRQ3PVoGb.exe
-
Size
1.1MB
-
MD5
5e53df92e2abdbc2305049f51140fec6
-
SHA1
c9a1d423fed180ec73be60ec740bfc0ae9120f82
-
SHA256
d3dd7dee8c874b7d1d1d6b5e499dedd7b049d82676213c0a317078a900a78451
-
SHA512
2f038af89c1fc8747e27f5a6675584954e975bf69917ac50526c06eff007c01b404538df3f9f217d1ab8c1d46c6d25b28360d069025d9cee419e931e75601aaf
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1532-64-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1532-65-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1532-66-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1532-67-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription pid process target process PID 1268 set thread context of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeLlW4ErKRQ3PVoGb.exepid process 1960 powershell.exe 1532 LlW4ErKRQ3PVoGb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeLlW4ErKRQ3PVoGb.exedescription pid process Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1532 LlW4ErKRQ3PVoGb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exepid process 1532 LlW4ErKRQ3PVoGb.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
LlW4ErKRQ3PVoGb.exeLlW4ErKRQ3PVoGb.exedescription pid process target process PID 1268 wrote to memory of 1960 1268 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1268 wrote to memory of 1960 1268 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1268 wrote to memory of 1960 1268 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1268 wrote to memory of 1960 1268 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1268 wrote to memory of 968 1268 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1268 wrote to memory of 968 1268 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1268 wrote to memory of 968 1268 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1268 wrote to memory of 968 1268 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1268 wrote to memory of 1532 1268 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1532 wrote to memory of 1076 1532 LlW4ErKRQ3PVoGb.exe netsh.exe PID 1532 wrote to memory of 1076 1532 LlW4ErKRQ3PVoGb.exe netsh.exe PID 1532 wrote to memory of 1076 1532 LlW4ErKRQ3PVoGb.exe netsh.exe PID 1532 wrote to memory of 1076 1532 LlW4ErKRQ3PVoGb.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe -
outlook_win_path 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OTCGvolJkVNKsE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OTCGvolJkVNKsE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4634.tmp"2⤵
- Creates scheduled task(s)
PID:968 -
C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1532 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4634.tmpMD5
0d5bfe1ebaf671a7bc9d937aef81ce13
SHA109fa4ceda30889b800e5e2d990d0911114c34615
SHA256f0ac074ea175ec79c4ef2b69eb48a32b2a3ecfe1ed3faf2ae5dc86953f21a29f
SHA51241a719f6a0ca1a9710a652cdf5a7e2ab1398fd01b684555d5222b072928563161b160ee124660397074b017c93f0d097d2d2355d77a7e35960e2173af6141c08
-
memory/1268-58-0x0000000000770000-0x000000000077C000-memory.dmpFilesize
48KB
-
memory/1268-57-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1268-59-0x0000000005710000-0x0000000005806000-memory.dmpFilesize
984KB
-
memory/1268-55-0x000000007469E000-0x000000007469F000-memory.dmpFilesize
4KB
-
memory/1268-56-0x0000000001030000-0x0000000001150000-memory.dmpFilesize
1.1MB
-
memory/1532-71-0x00000000733EE000-0x00000000733EF000-memory.dmpFilesize
4KB
-
memory/1532-62-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-63-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-64-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-65-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-66-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-67-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1532-74-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/1960-60-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1960-72-0x0000000002831000-0x0000000002832000-memory.dmpFilesize
4KB
-
memory/1960-69-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/1960-70-0x000000006E912000-0x000000006E914000-memory.dmpFilesize
8KB
-
memory/1960-73-0x0000000002832000-0x0000000002834000-memory.dmpFilesize
8KB
-
memory/1960-68-0x000000006E911000-0x000000006E912000-memory.dmpFilesize
4KB