Analysis
-
max time kernel
162s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-02-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
Payment Notification.exe
Resource
win7-en-20211208
General
-
Target
Payment Notification.exe
-
Size
1.0MB
-
MD5
22d61a1e0f48b05fec1a4cf9da160b16
-
SHA1
68826094caeffc43d24ddf0d2ad1c6ed5e961272
-
SHA256
78f08071af81517d374179110b8018fce8d6670abd110ab76fdf811a08761ad4
-
SHA512
760c4b4b9fdc3fca93129a0bc973e27bbe8e9d696baae51509a70dc8a8f0fc1ad8a1fa5801c9f21cacfea66bc728de1102f868d1a348fde1350f42d337d2df5d
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.revistaeducar.com.ar - Port:
25 - Username:
[email protected] - Password:
somchai#3774
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3420-138-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Notification.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Payment Notification.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 79 freegeoip.app 80 freegeoip.app 77 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Notification.exedescription pid process target process PID 3864 set thread context of 3420 3864 Payment Notification.exe RegSvcs.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.352113" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4360" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901196027576184" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.893944" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment Notification.exepid process 3864 Payment Notification.exe 3864 Payment Notification.exe 3864 Payment Notification.exe 3864 Payment Notification.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe Token: SeRestorePrivilege 2664 TiWorker.exe Token: SeSecurityPrivilege 2664 TiWorker.exe Token: SeBackupPrivilege 2664 TiWorker.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment Notification.exedescription pid process target process PID 3864 wrote to memory of 3276 3864 Payment Notification.exe schtasks.exe PID 3864 wrote to memory of 3276 3864 Payment Notification.exe schtasks.exe PID 3864 wrote to memory of 3276 3864 Payment Notification.exe schtasks.exe PID 3864 wrote to memory of 1380 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 1380 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 1380 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 2420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 2420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 2420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe PID 3864 wrote to memory of 3420 3864 Payment Notification.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Notification.exe"C:\Users\Admin\AppData\Local\Temp\Payment Notification.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tgZOYkOUhk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDC3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCDC3.tmpMD5
7b9c4b7832b75cb0a8b311f0013d7b8f
SHA15ddd2da48f9bd89a8c4873c7c16cb72b50e3b495
SHA2569d946e260a426596414b305c6305c9750d2f231997707c83d4a21742030f4cc9
SHA5122eef86a25761ea2308bb9a06fd1c523b04ba7a7aa18a44bc36637663439165d11f6dc70690daae8109eddd9a1a5da00f2090145b1c33194edc0f0024b04f8f85
-
memory/3420-138-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/3420-139-0x000000007536E000-0x000000007536F000-memory.dmpFilesize
4KB
-
memory/3420-140-0x0000000004EB0000-0x0000000004F16000-memory.dmpFilesize
408KB
-
memory/3420-141-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3864-130-0x000000007536E000-0x000000007536F000-memory.dmpFilesize
4KB
-
memory/3864-131-0x0000000000B40000-0x0000000000C4E000-memory.dmpFilesize
1.1MB
-
memory/3864-132-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/3864-133-0x00000000054F0000-0x0000000005582000-memory.dmpFilesize
584KB
-
memory/3864-134-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/3864-135-0x00000000054A0000-0x00000000054AA000-memory.dmpFilesize
40KB
-
memory/3864-136-0x0000000007A00000-0x0000000007A9C000-memory.dmpFilesize
624KB