Analysis
-
max time kernel
64s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-04-2022 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment.exe
-
Size
741KB
-
MD5
60719dfa735801f3bd3f63b2998e7f76
-
SHA1
b50765a9e7e5bf5667d1e81ca354e7da32d6990c
-
SHA256
128077c7c2616b13946e1356a9cf02b6b26433c68a211463eb89dc92cca802b8
-
SHA512
b973f963f3fe880b41e6c821b25a62810b28f424f34bf8a894766f13ef5732671970ef5e788ce73ce358814aad87c0e4ec168d2a71713e4f6964b2a42897ebd1
Malware Config
Extracted
matiex
Protocol: smtp- Host:
ebop.website - Port:
587 - Username:
[email protected] - Password:
P@ssw0rdP@ssw0rd
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1428-60-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 3 checkip.dyndns.org 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment.exedescription pid process target process PID 860 set thread context of 1428 860 Payment.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Payment.exepid process 860 Payment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1428 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment.exedescription pid process target process PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe PID 860 wrote to memory of 1428 860 Payment.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1428