Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
Enijidjm.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Enijidjm.exe
Resource
win10v2004-en-20220113
General
-
Target
Enijidjm.exe
-
Size
111KB
-
MD5
dda708bbd533046daf479fd123f75cda
-
SHA1
b8dc0fa033f434eafe46df7c0320676c866814cb
-
SHA256
f442097ffe0336d6712267088a4368aa539f51f7ea7d1e950da88c6a42f1b29e
-
SHA512
b6c983e27964446d6c8c3dcb6f03d0cbb957fd2c2cbe2888444372a4a3b69b22d3e9b3e401972aa5b365bc6b810dbffef9aa0aaeb50bf8e31f720f173b961e58
Malware Config
Extracted
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_!
Extracted
matiex
Protocol: smtp- Host:
serv3.devmexico.com - Port:
587 - Username:
[email protected] - Password:
3}l^pI#_4K_! - Email To:
[email protected]
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-63-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1040-64-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1040-65-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1040-66-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Enijidjm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Test = "\"C:\\Users\\Admin\\AppData\\Roaming\\Demo\\Test.exe\"" Enijidjm.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org 11 freegeoip.app 12 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Enijidjm.exedescription pid process target process PID 1180 set thread context of 1040 1180 Enijidjm.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Enijidjm.exeMSBuild.exepid process 1180 Enijidjm.exe 1040 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Enijidjm.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1180 Enijidjm.exe Token: SeDebugPrivilege 1040 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Enijidjm.exedescription pid process target process PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe PID 1180 wrote to memory of 1040 1180 Enijidjm.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Enijidjm.exe"C:\Users\Admin\AppData\Local\Temp\Enijidjm.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-62-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1040-68-0x0000000004740000-0x0000000004741000-memory.dmpFilesize
4KB
-
memory/1040-67-0x000000007445E000-0x000000007445F000-memory.dmpFilesize
4KB
-
memory/1040-66-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1040-65-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1040-64-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1040-63-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1040-61-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1180-57-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1180-60-0x0000000004E70000-0x0000000004EBC000-memory.dmpFilesize
304KB
-
memory/1180-59-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB
-
memory/1180-58-0x00000000043C0000-0x0000000004410000-memory.dmpFilesize
320KB
-
memory/1180-54-0x000000007445E000-0x000000007445F000-memory.dmpFilesize
4KB
-
memory/1180-56-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1180-55-0x0000000000E90000-0x0000000000EB0000-memory.dmpFilesize
128KB