Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
NKP210102-NIT-SC2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NKP210102-NIT-SC2.exe
Resource
win10v2004-en-20220113
General
-
Target
NKP210102-NIT-SC2.exe
-
Size
779KB
-
MD5
087dfca6f2b2c9825a49d4b986d7f539
-
SHA1
748e44b93cf2882248b2e27c728eb11018984bf4
-
SHA256
af8629a317a5fe7aa5900f445cd855b902a495c497646c3ef1485ea5a9d026a7
-
SHA512
25ab703c8261e1c36e4656b405b2aff6c8595bc26fe3b0f982e7249a90d6d6405d5f66ff8c28f8696d16c99a479718657dc669e0e4e5c2abe00e3ea03bac588d
Malware Config
Extracted
Protocol: smtp- Host:
mail.revistaeducar.com.ar - Port:
25 - Username:
[email protected] - Password:
somchai#3774
Extracted
matiex
Protocol: smtp- Host:
mail.revistaeducar.com.ar - Port:
25 - Username:
[email protected] - Password:
somchai#3774
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4000-141-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NKP210102-NIT-SC2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation NKP210102-NIT-SC2.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 checkip.dyndns.org 50 freegeoip.app 51 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NKP210102-NIT-SC2.exedescription pid process target process PID 3008 set thread context of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 4000 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 4000 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
svchost.exeRegSvcs.exedescription pid process Token: SeShutdownPrivilege 3420 svchost.exe Token: SeCreatePagefilePrivilege 3420 svchost.exe Token: SeShutdownPrivilege 3420 svchost.exe Token: SeCreatePagefilePrivilege 3420 svchost.exe Token: SeShutdownPrivilege 3420 svchost.exe Token: SeCreatePagefilePrivilege 3420 svchost.exe Token: SeDebugPrivilege 4000 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 4000 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NKP210102-NIT-SC2.exedescription pid process target process PID 3008 wrote to memory of 4012 3008 NKP210102-NIT-SC2.exe schtasks.exe PID 3008 wrote to memory of 4012 3008 NKP210102-NIT-SC2.exe schtasks.exe PID 3008 wrote to memory of 4012 3008 NKP210102-NIT-SC2.exe schtasks.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe PID 3008 wrote to memory of 4000 3008 NKP210102-NIT-SC2.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NKP210102-NIT-SC2.exe"C:\Users\Admin\AppData\Local\Temp\NKP210102-NIT-SC2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kVTLnkXYUzFB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9F.tmp"2⤵
- Creates scheduled task(s)
PID:4012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE9F.tmpMD5
0375d27c7ee1c61af6135319bd83c87b
SHA13db451ac8d48fc986051b0bf3e636de930446601
SHA256bf589a067fe1a2f3a3480ceaa1e8c41ee607515dd68074138ce8ffac040301a6
SHA512f897c5e341b270dca7997ac7c5339fe5b81a9db13c1973dc228780da560bd6e898f37866052d2b7400cf1e3d066f9b5065c7912bddb9e626240220edc65f5673
-
memory/3008-130-0x0000000000660000-0x0000000000728000-memory.dmpFilesize
800KB
-
memory/3008-131-0x0000000005710000-0x0000000005CB4000-memory.dmpFilesize
5.6MB
-
memory/3008-132-0x00000000050B0000-0x0000000005142000-memory.dmpFilesize
584KB
-
memory/3008-133-0x0000000074F6E000-0x0000000074F6F000-memory.dmpFilesize
4KB
-
memory/3008-134-0x0000000005290000-0x000000000529A000-memory.dmpFilesize
40KB
-
memory/3008-135-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3008-139-0x00000000061D0000-0x000000000626C000-memory.dmpFilesize
624KB
-
memory/3420-138-0x0000024E26990000-0x0000024E26994000-memory.dmpFilesize
16KB
-
memory/3420-137-0x0000024E24320000-0x0000024E24330000-memory.dmpFilesize
64KB
-
memory/3420-136-0x0000024E23D60000-0x0000024E23D70000-memory.dmpFilesize
64KB
-
memory/4000-141-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4000-142-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/4000-144-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/4000-143-0x0000000074F6E000-0x0000000074F6F000-memory.dmpFilesize
4KB
-
memory/4000-145-0x00000000074B0000-0x0000000007672000-memory.dmpFilesize
1.8MB