Analysis
-
max time kernel
154s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-03-2022 18:52
Static task
static1
Behavioral task
behavioral1
Sample
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe
Resource
win10v2004-en-20220113
General
-
Target
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe
-
Size
683KB
-
MD5
bea5d9869f018062424e73d5f1fb5574
-
SHA1
daf7c7abbb95a3fb26f7079555cafa469b97da76
-
SHA256
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc
-
SHA512
4408346da6fcfd9218f4febd3d2be612d819eb7cfb1868b01c78bf22e2dbbea0a7578300de9ded99ba78f37644a82857b7f3da6f6a3a7b31754de8812794cc71
Malware Config
Extracted
Protocol: smtp- Host:
mail.zavidovici.ba - Port:
587 - Username:
[email protected] - Password:
12Opc21!
Extracted
matiex
Protocol: smtp- Host:
mail.zavidovici.ba - Port:
587 - Username:
[email protected] - Password:
12Opc21!
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-143-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 freegeoip.app 38 freegeoip.app 35 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription pid process target process PID 4200 set thread context of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exepid process 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 4080 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription pid process Token: SeDebugPrivilege 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe Token: SeDebugPrivilege 4080 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription pid process target process PID 4200 wrote to memory of 3680 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 3680 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 3680 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 832 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 832 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 832 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4200 wrote to memory of 4080 4200 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe PID 4080 wrote to memory of 448 4080 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe netsh.exe PID 4080 wrote to memory of 448 4080 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe netsh.exe PID 4080 wrote to memory of 448 4080 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe -
outlook_win_path 1 IoCs
Processes:
2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe"C:\Users\Admin\AppData\Local\Temp\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2f9a2aefb5643411a8c28b48c23e60463a120ddf2311ae72d3dfab9148aa54cc.exe.logMD5
8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/2752-139-0x0000011E91360000-0x0000011E91370000-memory.dmpFilesize
64KB
-
memory/2752-141-0x0000011E91FB0000-0x0000011E91FB4000-memory.dmpFilesize
16KB
-
memory/2752-140-0x0000011E91C60000-0x0000011E91C70000-memory.dmpFilesize
64KB
-
memory/4080-145-0x0000000004E90000-0x0000000004EF6000-memory.dmpFilesize
408KB
-
memory/4080-143-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4080-147-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/4080-146-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/4080-148-0x00000000063C0000-0x0000000006582000-memory.dmpFilesize
1.8MB
-
memory/4200-138-0x0000000007EC0000-0x0000000008464000-memory.dmpFilesize
5.6MB
-
memory/4200-137-0x0000000007ED0000-0x0000000007EDA000-memory.dmpFilesize
40KB
-
memory/4200-136-0x0000000007F60000-0x0000000007FF2000-memory.dmpFilesize
584KB
-
memory/4200-135-0x0000000008470000-0x0000000008A14000-memory.dmpFilesize
5.6MB
-
memory/4200-142-0x000000000A7F0000-0x000000000A88C000-memory.dmpFilesize
624KB
-
memory/4200-134-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/4200-133-0x0000000000F90000-0x0000000001042000-memory.dmpFilesize
712KB