Analysis
-
max time kernel
135s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment.exe
-
Size
741KB
-
MD5
af90c71820ae43a15bc7e9b19a5756b5
-
SHA1
14c10d4943fbd06fa014a28e457f7c3559c276ae
-
SHA256
c578f89d2e9d40571b7abb4839a07f019dcc3bfc37705ee8d9cccfe306432463
-
SHA512
9d58b08e2cffc7992cb0347a6ebc7969c7cb6d84b5f949ee25028c250f52cf0f9d2085739fed22081ca551e666277d35b87f170db17aea65b3388c5d0b46f7f5
Malware Config
Extracted
matiex
Protocol: smtp- Host:
ebop.website - Port:
587 - Username:
[email protected] - Password:
P@ssw0rdP@ssw0rd
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3520-133-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment.exedescription pid process target process PID 3516 set thread context of 3520 3516 Payment.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Payment.exepid process 3516 Payment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3520 RegAsm.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Payment.exedescription pid process target process PID 3516 wrote to memory of 3520 3516 Payment.exe RegAsm.exe PID 3516 wrote to memory of 3520 3516 Payment.exe RegAsm.exe PID 3516 wrote to memory of 3520 3516 Payment.exe RegAsm.exe PID 3516 wrote to memory of 3520 3516 Payment.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3516-130-0x0000000000A10000-0x0000000000AD0000-memory.dmpFilesize
768KB
-
memory/3516-131-0x00000000054B0000-0x0000000005542000-memory.dmpFilesize
584KB
-
memory/3520-132-0x0000000000000000-mapping.dmp
-
memory/3520-133-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/3520-134-0x0000000005A60000-0x0000000006004000-memory.dmpFilesize
5.6MB
-
memory/3520-135-0x00000000054B0000-0x000000000554C000-memory.dmpFilesize
624KB
-
memory/3520-136-0x0000000005420000-0x0000000005486000-memory.dmpFilesize
408KB
-
memory/3520-137-0x0000000006940000-0x0000000006B02000-memory.dmpFilesize
1.8MB
-
memory/3520-138-0x00000000067D0000-0x00000000067DA000-memory.dmpFilesize
40KB