Analysis
-
max time kernel
4294193s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
01-03-2022 17:25
Static task
static1
Behavioral task
behavioral1
Sample
b4fd099f95248286fb005d5fc93399d9.exe
Resource
win7-20220223-en
General
-
Target
b4fd099f95248286fb005d5fc93399d9.exe
-
Size
477KB
-
MD5
b4fd099f95248286fb005d5fc93399d9
-
SHA1
4fca12d0d25a2115b5958de3aa9830f36361fbbb
-
SHA256
d8924e2835e52e70b5c4fa4fa0a91e9b06776f778d065d62773a4564586d486c
-
SHA512
05c742c18b03adb4153f1f921311f4aaba01ddc04cd329a8079bd9b56db46ab45cfae32c7a88db3becde49f76859a6c24452fa6dbd1c1738bb0d59e8aa45f2ef
Malware Config
Extracted
matiex
https://api.telegram.org/bot1474029845:AAESF02q0JZytndFFaKINAGOHrylDk8NpJA/sendMessage?chat_id=1481651786
Signatures
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1824-62-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1824-63-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1824-64-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/1824-65-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4fd099f95248286fb005d5fc93399d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4fd099f95248286fb005d5fc93399d9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4fd099f95248286fb005d5fc93399d9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription pid process target process PID 1100 set thread context of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exepid process 1100 b4fd099f95248286fb005d5fc93399d9.exe 1100 b4fd099f95248286fb005d5fc93399d9.exe 1100 b4fd099f95248286fb005d5fc93399d9.exe 1100 b4fd099f95248286fb005d5fc93399d9.exe 1100 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe 1824 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exedescription pid process Token: SeDebugPrivilege 1100 b4fd099f95248286fb005d5fc93399d9.exe Token: SeDebugPrivilege 1824 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exepid process 1824 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exedescription pid process target process PID 1100 wrote to memory of 692 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 692 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 692 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 692 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1100 wrote to memory of 1824 1100 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 1824 wrote to memory of 1724 1824 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe PID 1824 wrote to memory of 1724 1824 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe PID 1824 wrote to memory of 1724 1824 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe PID 1824 wrote to memory of 1724 1824 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe -
outlook_win_path 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"{path}"2⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1824 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-54-0x0000000000290000-0x0000000000312000-memory.dmpFilesize
520KB
-
memory/1100-55-0x0000000074DEE000-0x0000000074DEF000-memory.dmpFilesize
4KB
-
memory/1100-56-0x0000000000650000-0x00000000006BC000-memory.dmpFilesize
432KB
-
memory/1100-57-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/1100-58-0x0000000000270000-0x000000000028C000-memory.dmpFilesize
112KB
-
memory/1100-59-0x0000000006780000-0x0000000006820000-memory.dmpFilesize
640KB
-
memory/1724-68-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB
-
memory/1824-63-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-62-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-60-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-64-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-65-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-67-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1824-66-0x0000000074DEE000-0x0000000074DEF000-memory.dmpFilesize
4KB
-
memory/1824-61-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1824-69-0x00000000055E5000-0x00000000055F6000-memory.dmpFilesize
68KB