Analysis
-
max time kernel
120s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-02-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
LlW4ErKRQ3PVoGb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
LlW4ErKRQ3PVoGb.exe
Resource
win10v2004-en-20220113
General
-
Target
LlW4ErKRQ3PVoGb.exe
-
Size
1.1MB
-
MD5
5e53df92e2abdbc2305049f51140fec6
-
SHA1
c9a1d423fed180ec73be60ec740bfc0ae9120f82
-
SHA256
d3dd7dee8c874b7d1d1d6b5e499dedd7b049d82676213c0a317078a900a78451
-
SHA512
2f038af89c1fc8747e27f5a6675584954e975bf69917ac50526c06eff007c01b404538df3f9f217d1ab8c1d46c6d25b28360d069025d9cee419e931e75601aaf
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4124-142-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation LlW4ErKRQ3PVoGb.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 56 checkip.dyndns.org 58 freegeoip.app 59 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription pid process target process PID 1344 set thread context of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeLlW4ErKRQ3PVoGb.exepid process 4256 powershell.exe 4256 powershell.exe 4124 LlW4ErKRQ3PVoGb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 632 svchost.exe Token: SeCreatePagefilePrivilege 632 svchost.exe Token: SeShutdownPrivilege 632 svchost.exe Token: SeCreatePagefilePrivilege 632 svchost.exe Token: SeShutdownPrivilege 632 svchost.exe Token: SeCreatePagefilePrivilege 632 svchost.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe Token: SeRestorePrivilege 2284 TiWorker.exe Token: SeSecurityPrivilege 2284 TiWorker.exe Token: SeBackupPrivilege 2284 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exepid process 4124 LlW4ErKRQ3PVoGb.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
LlW4ErKRQ3PVoGb.exeLlW4ErKRQ3PVoGb.exedescription pid process target process PID 1344 wrote to memory of 4256 1344 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1344 wrote to memory of 4256 1344 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1344 wrote to memory of 4256 1344 LlW4ErKRQ3PVoGb.exe powershell.exe PID 1344 wrote to memory of 3504 1344 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1344 wrote to memory of 3504 1344 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1344 wrote to memory of 3504 1344 LlW4ErKRQ3PVoGb.exe schtasks.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 1344 wrote to memory of 4124 1344 LlW4ErKRQ3PVoGb.exe LlW4ErKRQ3PVoGb.exe PID 4124 wrote to memory of 1996 4124 LlW4ErKRQ3PVoGb.exe netsh.exe PID 4124 wrote to memory of 1996 4124 LlW4ErKRQ3PVoGb.exe netsh.exe PID 4124 wrote to memory of 1996 4124 LlW4ErKRQ3PVoGb.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe -
outlook_win_path 1 IoCs
Processes:
LlW4ErKRQ3PVoGb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LlW4ErKRQ3PVoGb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OTCGvolJkVNKsE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OTCGvolJkVNKsE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp621E.tmp"2⤵
- Creates scheduled task(s)
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4124 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:632
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp621E.tmpMD5
f9b13ac7710fe7ec55af5b49742dd2e2
SHA1f4d6fd880af643391d98a32a4f31d4d11c72070e
SHA2563b5fef01461789ed5b3307771b6f2db4c28d4ce882ad560229fb037a3ba8ee7f
SHA5129fa7044d5d0f402ea7dc4eb95275f40848c6144acf59f974556e77251405e48c783669524fecff0d06f6d6a2d8653d1bd4c9ba2105236ad0e084d13f0a964b26
-
memory/632-136-0x000001AF559A0000-0x000001AF559B0000-memory.dmpFilesize
64KB
-
memory/632-137-0x000001AF56020000-0x000001AF56030000-memory.dmpFilesize
64KB
-
memory/632-138-0x000001AF58720000-0x000001AF58724000-memory.dmpFilesize
16KB
-
memory/1344-131-0x0000000000D10000-0x0000000000E30000-memory.dmpFilesize
1.1MB
-
memory/1344-132-0x0000000005DC0000-0x0000000006364000-memory.dmpFilesize
5.6MB
-
memory/1344-133-0x0000000005810000-0x00000000058A2000-memory.dmpFilesize
584KB
-
memory/1344-134-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/1344-135-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/1344-139-0x0000000007BF0000-0x0000000007C8C000-memory.dmpFilesize
624KB
-
memory/1344-130-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/4124-148-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/4124-147-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/4124-142-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4124-154-0x0000000006C60000-0x0000000006E22000-memory.dmpFilesize
1.8MB
-
memory/4124-151-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/4256-140-0x0000000005180000-0x00000000051B6000-memory.dmpFilesize
216KB
-
memory/4256-155-0x0000000006D20000-0x0000000006D52000-memory.dmpFilesize
200KB
-
memory/4256-143-0x00000000058D0000-0x0000000005EF8000-memory.dmpFilesize
6.2MB
-
memory/4256-149-0x0000000005890000-0x00000000058B2000-memory.dmpFilesize
136KB
-
memory/4256-150-0x00000000060A0000-0x0000000006106000-memory.dmpFilesize
408KB
-
memory/4256-144-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/4256-152-0x0000000006760000-0x000000000677E000-memory.dmpFilesize
120KB
-
memory/4256-153-0x0000000005295000-0x0000000005297000-memory.dmpFilesize
8KB
-
memory/4256-145-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4256-146-0x0000000005292000-0x0000000005293000-memory.dmpFilesize
4KB
-
memory/4256-156-0x000000006FEC0000-0x000000006FF0C000-memory.dmpFilesize
304KB
-
memory/4256-157-0x0000000006CF0000-0x0000000006D0E000-memory.dmpFilesize
120KB
-
memory/4256-158-0x000000007F580000-0x000000007F581000-memory.dmpFilesize
4KB
-
memory/4256-159-0x00000000080C0000-0x000000000873A000-memory.dmpFilesize
6.5MB
-
memory/4256-160-0x0000000007A70000-0x0000000007A8A000-memory.dmpFilesize
104KB
-
memory/4256-161-0x0000000007AE0000-0x0000000007AEA000-memory.dmpFilesize
40KB
-
memory/4256-162-0x0000000007CF0000-0x0000000007D86000-memory.dmpFilesize
600KB
-
memory/4256-163-0x0000000007CA0000-0x0000000007CAE000-memory.dmpFilesize
56KB
-
memory/4256-164-0x0000000007DB0000-0x0000000007DCA000-memory.dmpFilesize
104KB
-
memory/4256-165-0x0000000007D90000-0x0000000007D98000-memory.dmpFilesize
32KB