Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14-04-2022 12:23
Static task
static1
Behavioral task
behavioral1
Sample
50208488 AEJEA 81890010169430.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
50208488 AEJEA 81890010169430.exe
Resource
win10v2004-20220331-en
General
-
Target
50208488 AEJEA 81890010169430.exe
-
Size
581KB
-
MD5
1b485e01e597352e81f18d2a828edee3
-
SHA1
09329b97c027cffbc9d34e5d49a3794b7209e246
-
SHA256
039b571653cbd974ebb9e8c37c048d0f9c4e5302db86a7400ed7a81708cb6c8c
-
SHA512
a124dbed4e5cc1809f9e473e2c0c84ddce944955ecb50adc8bf57f5134e0f282722a6a4ad23e62e2df333eaebe57878b0d40bae40867f24c9ec5efdb9b9ba53e
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2472-126-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
50208488 AEJEA 81890010169430.exedescription pid process target process PID 4576 set thread context of 2472 4576 50208488 AEJEA 81890010169430.exe MSBuild.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4568 2472 WerFault.exe MSBuild.exe 4576 2472 WerFault.exe MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
50208488 AEJEA 81890010169430.exepid process 4576 50208488 AEJEA 81890010169430.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2472 MSBuild.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
50208488 AEJEA 81890010169430.exeMSBuild.exedescription pid process target process PID 4576 wrote to memory of 2472 4576 50208488 AEJEA 81890010169430.exe MSBuild.exe PID 4576 wrote to memory of 2472 4576 50208488 AEJEA 81890010169430.exe MSBuild.exe PID 4576 wrote to memory of 2472 4576 50208488 AEJEA 81890010169430.exe MSBuild.exe PID 4576 wrote to memory of 2472 4576 50208488 AEJEA 81890010169430.exe MSBuild.exe PID 2472 wrote to memory of 4568 2472 MSBuild.exe WerFault.exe PID 2472 wrote to memory of 4568 2472 MSBuild.exe WerFault.exe PID 2472 wrote to memory of 4568 2472 MSBuild.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 11283⤵
- Program crash
PID:4568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 11283⤵
- Program crash
PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2472 -ip 24721⤵PID:3764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2472-125-0x0000000000000000-mapping.dmp
-
memory/2472-126-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/2472-127-0x00000000054F0000-0x000000000558C000-memory.dmpFilesize
624KB
-
memory/2472-128-0x0000000005B40000-0x00000000060E4000-memory.dmpFilesize
5.6MB
-
memory/2472-129-0x0000000005590000-0x00000000055F6000-memory.dmpFilesize
408KB
-
memory/4568-130-0x0000000000000000-mapping.dmp
-
memory/4576-124-0x0000000000B3D000-0x0000000000B40000-memory.dmpFilesize
12KB