Analysis
-
max time kernel
155s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 17:25
Static task
static1
Behavioral task
behavioral1
Sample
b4fd099f95248286fb005d5fc93399d9.exe
Resource
win7-20220223-en
General
-
Target
b4fd099f95248286fb005d5fc93399d9.exe
-
Size
477KB
-
MD5
b4fd099f95248286fb005d5fc93399d9
-
SHA1
4fca12d0d25a2115b5958de3aa9830f36361fbbb
-
SHA256
d8924e2835e52e70b5c4fa4fa0a91e9b06776f778d065d62773a4564586d486c
-
SHA512
05c742c18b03adb4153f1f921311f4aaba01ddc04cd329a8079bd9b56db46ab45cfae32c7a88db3becde49f76859a6c24452fa6dbd1c1738bb0d59e8aa45f2ef
Malware Config
Extracted
matiex
https://api.telegram.org/bot1474029845:AAESF02q0JZytndFFaKINAGOHrylDk8NpJA/sendMessage?chat_id=1481651786
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3136-139-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4fd099f95248286fb005d5fc93399d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4fd099f95248286fb005d5fc93399d9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 checkip.dyndns.org 30 freegeoip.app 31 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4fd099f95248286fb005d5fc93399d9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription pid process target process PID 2820 set thread context of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exepid process 2820 b4fd099f95248286fb005d5fc93399d9.exe 2820 b4fd099f95248286fb005d5fc93399d9.exe 2820 b4fd099f95248286fb005d5fc93399d9.exe 2820 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe 3136 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exedescription pid process Token: SeDebugPrivilege 2820 b4fd099f95248286fb005d5fc93399d9.exe Token: SeDebugPrivilege 3136 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exepid process 3136 b4fd099f95248286fb005d5fc93399d9.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exeb4fd099f95248286fb005d5fc93399d9.exedescription pid process target process PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 2820 wrote to memory of 3136 2820 b4fd099f95248286fb005d5fc93399d9.exe b4fd099f95248286fb005d5fc93399d9.exe PID 3136 wrote to memory of 4660 3136 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe PID 3136 wrote to memory of 4660 3136 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe PID 3136 wrote to memory of 4660 3136 b4fd099f95248286fb005d5fc93399d9.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe -
outlook_win_path 1 IoCs
Processes:
b4fd099f95248286fb005d5fc93399d9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b4fd099f95248286fb005d5fc93399d9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b4fd099f95248286fb005d5fc93399d9.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b4fd099f95248286fb005d5fc93399d9.exe.logMD5
531595e2b5f12461e210c410faf46d37
SHA14c163e51d2a43c5514f4064dd3bc9e9470ed752c
SHA25640b7c802bfe6623c91a471cb1525738c9bc6e38125d3ea4c73b26f468ca83b51
SHA512ac815c417c53b6a04415f022655ee4fe014f9f80c540b0b595e3dfc4e744458c2eaee5d535a14bc488a27afb5b53e5289eca23434fd1ba10ae231ae6678d1e6b
-
memory/2820-136-0x000000000ADE0000-0x000000000B30C000-memory.dmpFilesize
5.2MB
-
memory/2820-138-0x0000000007F90000-0x0000000007FF6000-memory.dmpFilesize
408KB
-
memory/2820-133-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/2820-134-0x0000000005930000-0x000000000593A000-memory.dmpFilesize
40KB
-
memory/2820-135-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/2820-130-0x0000000000AB0000-0x0000000000B32000-memory.dmpFilesize
520KB
-
memory/2820-137-0x00000000065C0000-0x000000000665C000-memory.dmpFilesize
624KB
-
memory/2820-132-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/2820-131-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/3136-139-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3136-142-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3136-141-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/3136-143-0x0000000007230000-0x00000000073F2000-memory.dmpFilesize
1.8MB
-
memory/3136-144-0x00000000055F3000-0x00000000055F5000-memory.dmpFilesize
8KB