Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-02-2022 23:32
Static task
static1
Behavioral task
behavioral1
Sample
090008000000000000.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
090008000000000000.exe
Resource
win10v2004-en-20220112
General
-
Target
090008000000000000.exe
-
Size
1.2MB
-
MD5
4c7fe9c4af3c08960d1490c0ba409694
-
SHA1
67b090a0aab7e6452d4fba12f2d625e276402096
-
SHA256
614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
-
SHA512
a5d70d3958b0979f39d2417cdfb26de1aac81482d48151310fa8cf99ad0d7ddeb83f1812ac611debd7ee052adb7bd109d5828e09a2fd765be2dbf5e35a3889a6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1704-149-0x0000000000400000-0x000000000050C000-memory.dmp family_matiex behavioral2/memory/1704-153-0x0000000000400000-0x000000000050C000-memory.dmp family_matiex C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe family_matiex C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe family_matiex behavioral2/memory/3524-163-0x00000000002F0000-0x0000000000366000-memory.dmp family_matiex -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1704-149-0x0000000000400000-0x000000000050C000-memory.dmp family_agenttesla behavioral2/memory/1704-153-0x0000000000400000-0x000000000050C000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\4.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\4.0.exe family_agenttesla behavioral2/memory/3408-157-0x0000000000130000-0x000000000016C000-memory.dmp family_agenttesla -
Executes dropped EXE 3 IoCs
Processes:
4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exepid process 3408 4.0.exe 1488 bilgi snake 2021.exe 3524 MATIEX GODISOD 4.0 .exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
bilgi snake 2021.exeMATIEX GODISOD 4.0 .exe4.0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bilgi snake 2021.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bilgi snake 2021.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MATIEX GODISOD 4.0 .exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MATIEX GODISOD 4.0 .exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4.0.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bilgi snake 2021.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MATIEX GODISOD 4.0 .exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4.0.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4.0.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 34 freegeoip.app 35 freegeoip.app 37 freegeoip.app 79 api.ipify.org 80 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
090008000000000000.exedescription pid process target process PID 2460 set thread context of 1704 2460 090008000000000000.exe InstallUtil.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 54 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4128" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.166644" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.081624" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901363961120009" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Powershell.exe4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exepid process 1368 Powershell.exe 1368 Powershell.exe 3408 4.0.exe 3408 4.0.exe 1488 bilgi snake 2021.exe 3524 MATIEX GODISOD 4.0 .exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Powershell.exe4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1368 Powershell.exe Token: SeDebugPrivilege 3408 4.0.exe Token: SeDebugPrivilege 1488 bilgi snake 2021.exe Token: SeDebugPrivilege 3524 MATIEX GODISOD 4.0 .exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe Token: SeBackupPrivilege 3768 TiWorker.exe Token: SeRestorePrivilege 3768 TiWorker.exe Token: SeSecurityPrivilege 3768 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 1704 InstallUtil.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
090008000000000000.exeInstallUtil.exeMATIEX GODISOD 4.0 .exedescription pid process target process PID 2460 wrote to memory of 1368 2460 090008000000000000.exe Powershell.exe PID 2460 wrote to memory of 1368 2460 090008000000000000.exe Powershell.exe PID 2460 wrote to memory of 1368 2460 090008000000000000.exe Powershell.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 2460 wrote to memory of 1704 2460 090008000000000000.exe InstallUtil.exe PID 1704 wrote to memory of 3408 1704 InstallUtil.exe 4.0.exe PID 1704 wrote to memory of 3408 1704 InstallUtil.exe 4.0.exe PID 1704 wrote to memory of 3408 1704 InstallUtil.exe 4.0.exe PID 1704 wrote to memory of 1488 1704 InstallUtil.exe bilgi snake 2021.exe PID 1704 wrote to memory of 1488 1704 InstallUtil.exe bilgi snake 2021.exe PID 1704 wrote to memory of 1488 1704 InstallUtil.exe bilgi snake 2021.exe PID 1704 wrote to memory of 3524 1704 InstallUtil.exe MATIEX GODISOD 4.0 .exe PID 1704 wrote to memory of 3524 1704 InstallUtil.exe MATIEX GODISOD 4.0 .exe PID 1704 wrote to memory of 3524 1704 InstallUtil.exe MATIEX GODISOD 4.0 .exe PID 3524 wrote to memory of 2024 3524 MATIEX GODISOD 4.0 .exe netsh.exe PID 3524 wrote to memory of 2024 3524 MATIEX GODISOD 4.0 .exe netsh.exe PID 3524 wrote to memory of 2024 3524 MATIEX GODISOD 4.0 .exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
4.0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4.0.exe -
outlook_win_path 1 IoCs
Processes:
4.0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe"C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\4.0.exe"C:\Users\Admin\AppData\Local\Temp\4.0.exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe"C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe"C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1408
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:812
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4.0.exeMD5
bd5fe63e3666a489e7a221647f6f3807
SHA152a8db03aa3db1b9a287688afeffa9f041c3811c
SHA2565a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e
SHA512631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6
-
C:\Users\Admin\AppData\Local\Temp\4.0.exeMD5
bd5fe63e3666a489e7a221647f6f3807
SHA152a8db03aa3db1b9a287688afeffa9f041c3811c
SHA2565a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e
SHA512631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6
-
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exeMD5
f615aa95251fc14492843942a588614c
SHA1296669e81c271762d5068f8a9ecbb354ffc335c9
SHA256e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b
SHA512ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1
-
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exeMD5
f615aa95251fc14492843942a588614c
SHA1296669e81c271762d5068f8a9ecbb354ffc335c9
SHA256e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b
SHA512ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1
-
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exeMD5
e33e63bda6a3976ecadfa9ee6f096944
SHA168b683bb325ae9c21f471593f007c797a02dc497
SHA256c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142
SHA51291b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142
-
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exeMD5
e33e63bda6a3976ecadfa9ee6f096944
SHA168b683bb325ae9c21f471593f007c797a02dc497
SHA256c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142
SHA51291b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142
-
memory/1368-142-0x00000000075A0000-0x0000000007BC8000-memory.dmpFilesize
6.2MB
-
memory/1368-144-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/1368-170-0x0000000009500000-0x0000000009596000-memory.dmpFilesize
600KB
-
memory/1368-141-0x0000000006F30000-0x0000000006F66000-memory.dmpFilesize
216KB
-
memory/1368-171-0x0000000008950000-0x000000000896A000-memory.dmpFilesize
104KB
-
memory/1368-143-0x0000000007C40000-0x0000000007C62000-memory.dmpFilesize
136KB
-
memory/1368-145-0x0000000007DE0000-0x0000000007E46000-memory.dmpFilesize
408KB
-
memory/1368-172-0x00000000089A0000-0x00000000089C2000-memory.dmpFilesize
136KB
-
memory/1368-147-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/1368-148-0x0000000006F22000-0x0000000006F23000-memory.dmpFilesize
4KB
-
memory/1368-152-0x00000000084E0000-0x00000000084FE000-memory.dmpFilesize
120KB
-
memory/1368-146-0x0000000007E50000-0x0000000007EB6000-memory.dmpFilesize
408KB
-
memory/1488-165-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/1488-160-0x0000000000770000-0x00000000007DA000-memory.dmpFilesize
424KB
-
memory/1488-174-0x00000000065F0000-0x00000000067B2000-memory.dmpFilesize
1.8MB
-
memory/1488-167-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/1704-149-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/1704-153-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/2460-130-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/2460-169-0x0000000009570000-0x00000000095AC000-memory.dmpFilesize
240KB
-
memory/2460-138-0x0000000009430000-0x00000000094CC000-memory.dmpFilesize
624KB
-
memory/2460-137-0x0000000005633000-0x0000000005635000-memory.dmpFilesize
8KB
-
memory/2460-136-0x0000000008FC0000-0x00000000090CA000-memory.dmpFilesize
1.0MB
-
memory/2460-135-0x0000000005480000-0x000000000548A000-memory.dmpFilesize
40KB
-
memory/2460-134-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/2460-133-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/2460-132-0x00000000059A0000-0x0000000005F44000-memory.dmpFilesize
5.6MB
-
memory/2460-131-0x00000000009B0000-0x0000000000ADC000-memory.dmpFilesize
1.2MB
-
memory/3408-156-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/3408-164-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/3408-157-0x0000000000130000-0x000000000016C000-memory.dmpFilesize
240KB
-
memory/3408-175-0x0000000006410000-0x0000000006460000-memory.dmpFilesize
320KB
-
memory/3408-176-0x0000000004BD1000-0x0000000004BD2000-memory.dmpFilesize
4KB
-
memory/3524-168-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/3524-166-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/3524-163-0x00000000002F0000-0x0000000000366000-memory.dmpFilesize
472KB