Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14-04-2022 12:22
Static task
static1
Behavioral task
behavioral1
Sample
M097508E2-20F2-4C2C-879A.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
M097508E2-20F2-4C2C-879A.exe
Resource
win10v2004-20220331-en
General
-
Target
M097508E2-20F2-4C2C-879A.exe
-
Size
709KB
-
MD5
13f08d08bbaa99bfd4cf481cf682bd7d
-
SHA1
210fce69f4278eb3f9e2574eb1d3fd7febe8212c
-
SHA256
d32af58205d0773daf139d13738f918e03f4d30439086b6eda0dfceef3369b58
-
SHA512
4483ba364a7525b2c8a6e2154a9d166873aba8ea1fa717c06aa90db7c1d540e317425cc33c254fbf41cd26cad2eb196c093b86d5c3e0c9c6fed358795d357330
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4124-126-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 freegeoip.app 53 checkip.dyndns.org 65 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
M097508E2-20F2-4C2C-879A.exedescription pid process target process PID 4588 set thread context of 4124 4588 M097508E2-20F2-4C2C-879A.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 4124 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
M097508E2-20F2-4C2C-879A.exepid process 4588 M097508E2-20F2-4C2C-879A.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4124 MSBuild.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
M097508E2-20F2-4C2C-879A.exeMSBuild.exedescription pid process target process PID 4588 wrote to memory of 4124 4588 M097508E2-20F2-4C2C-879A.exe MSBuild.exe PID 4588 wrote to memory of 4124 4588 M097508E2-20F2-4C2C-879A.exe MSBuild.exe PID 4588 wrote to memory of 4124 4588 M097508E2-20F2-4C2C-879A.exe MSBuild.exe PID 4588 wrote to memory of 4124 4588 M097508E2-20F2-4C2C-879A.exe MSBuild.exe PID 4124 wrote to memory of 2088 4124 MSBuild.exe netsh.exe PID 4124 wrote to memory of 2088 4124 MSBuild.exe netsh.exe PID 4124 wrote to memory of 2088 4124 MSBuild.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2088-130-0x0000000000000000-mapping.dmp
-
memory/4124-125-0x0000000000000000-mapping.dmp
-
memory/4124-126-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4124-127-0x0000000005750000-0x00000000057EC000-memory.dmpFilesize
624KB
-
memory/4124-128-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/4124-129-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/4124-131-0x0000000006CB0000-0x0000000006E72000-memory.dmpFilesize
1.8MB
-
memory/4588-124-0x0000000000F3D000-0x0000000000F40000-memory.dmpFilesize
12KB