Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-02-2022 05:44
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCT LIST AND REQUIREMENTS.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PRODUCT LIST AND REQUIREMENTS.exe
Resource
win10v2004-en-20220113
General
-
Target
PRODUCT LIST AND REQUIREMENTS.exe
-
Size
1.7MB
-
MD5
3503052c21905540c370721cbd53bbea
-
SHA1
029640cc20901a8d59e7d49e85bda356752b5d35
-
SHA256
b96850cee9d8aa809a8309e59494684dabb15283f681f6f3d45fd8d8b805e219
-
SHA512
efb959b99272233681dd32b6a1a21e4d6674a9442ac08f5c54d7bb1349f459f0aa98cd7c3e0a1c10a1b8a936a8dbdce0062dd857cc300f1db2746f44c0d61d85
Malware Config
Extracted
Protocol: smtp- Host:
aarescuenigeria.com - Port:
587 - Username:
[email protected] - Password:
master@123
Extracted
matiex
Protocol: smtp- Host:
aarescuenigeria.com - Port:
587 - Username:
[email protected] - Password:
master@123 - Email To:
[email protected]
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1268-133-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 checkip.dyndns.org 21 freegeoip.app 22 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PRODUCT LIST AND REQUIREMENTS.exedescription pid process target process PID 536 set thread context of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
aspnet_compiler.exepid process 1268 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aspnet_compiler.exepid process 1268 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PRODUCT LIST AND REQUIREMENTS.exeaspnet_compiler.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 536 PRODUCT LIST AND REQUIREMENTS.exe Token: SeDebugPrivilege 1268 aspnet_compiler.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeShutdownPrivilege 4748 svchost.exe Token: SeCreatePagefilePrivilege 4748 svchost.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe Token: SeSecurityPrivilege 504 TiWorker.exe Token: SeBackupPrivilege 504 TiWorker.exe Token: SeRestorePrivilege 504 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 1268 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PRODUCT LIST AND REQUIREMENTS.exeaspnet_compiler.exedescription pid process target process PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 536 wrote to memory of 1268 536 PRODUCT LIST AND REQUIREMENTS.exe aspnet_compiler.exe PID 1268 wrote to memory of 3512 1268 aspnet_compiler.exe netsh.exe PID 1268 wrote to memory of 3512 1268 aspnet_compiler.exe netsh.exe PID 1268 wrote to memory of 3512 1268 aspnet_compiler.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST AND REQUIREMENTS.exe"C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST AND REQUIREMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1268 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-130-0x00007FFC89273000-0x00007FFC89275000-memory.dmpFilesize
8KB
-
memory/536-131-0x0000000000A20000-0x0000000000BE0000-memory.dmpFilesize
1.8MB
-
memory/536-132-0x000000001CDF0000-0x000000001CDF2000-memory.dmpFilesize
8KB
-
memory/1268-138-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1268-134-0x00000000752FE000-0x00000000752FF000-memory.dmpFilesize
4KB
-
memory/1268-135-0x0000000005250000-0x00000000052EC000-memory.dmpFilesize
624KB
-
memory/1268-136-0x00000000058A0000-0x0000000005E44000-memory.dmpFilesize
5.6MB
-
memory/1268-137-0x0000000005360000-0x00000000053C6000-memory.dmpFilesize
408KB
-
memory/1268-133-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1268-139-0x00000000069B0000-0x0000000006A42000-memory.dmpFilesize
584KB
-
memory/1268-140-0x00000000069A0000-0x00000000069AA000-memory.dmpFilesize
40KB
-
memory/1268-144-0x0000000006F80000-0x0000000007142000-memory.dmpFilesize
1.8MB
-
memory/1268-145-0x0000000005343000-0x0000000005345000-memory.dmpFilesize
8KB
-
memory/4748-141-0x000001AE5E820000-0x000001AE5E830000-memory.dmpFilesize
64KB
-
memory/4748-142-0x000001AE5E880000-0x000001AE5E890000-memory.dmpFilesize
64KB
-
memory/4748-143-0x000001AE60F40000-0x000001AE60F44000-memory.dmpFilesize
16KB