Analysis Overview
SHA256
23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a
Threat Level: Known bad
The file 23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a was found to be: Known bad.
Malicious Activity Summary
Matiex Main Payload
Matiex
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-20 02:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-20 02:58
Reported
2022-04-20 03:16
Platform
win7-20220414-en
Max time kernel
141s
Max time network
42s
Command Line
Signatures
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
Files
memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmp
memory/1668-55-0x0000000000000000-mapping.dmp
memory/2036-56-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1268-57-0x0000000000000000-mapping.dmp
memory/860-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml
| MD5 | ffb76264697abd63336aaca3b388a942 |
| SHA1 | 9488da856e01c993fe9f85daa45292f71d5c1dd4 |
| SHA256 | 45cc5439202830bfa6d966bb907714a9da40bc259470ffb5da8842f39083e54a |
| SHA512 | 03d394f92d5cf18071151c793088f2b495381fe93d152ad19b5eee3c8507bd1257751dc58fa889ab8035aa5bfe5b85f8b6f2ef02813b6d0b1d2553f12ffca582 |
memory/952-60-0x0000000000000000-mapping.dmp
memory/1624-62-0x0000000000000000-mapping.dmp
memory/952-63-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1596-64-0x0000000000000000-mapping.dmp
memory/320-66-0x0000000000000000-mapping.dmp
memory/1596-67-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1256-68-0x0000000000000000-mapping.dmp
memory/1348-70-0x0000000000000000-mapping.dmp
memory/1256-71-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/568-72-0x0000000000000000-mapping.dmp
memory/580-74-0x0000000000000000-mapping.dmp
memory/568-75-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1724-76-0x0000000000000000-mapping.dmp
memory/1740-78-0x0000000000000000-mapping.dmp
memory/1724-79-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1472-80-0x0000000000000000-mapping.dmp
memory/1532-82-0x0000000000000000-mapping.dmp
memory/1472-83-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1488-84-0x0000000000000000-mapping.dmp
memory/1652-86-0x0000000000000000-mapping.dmp
memory/1488-87-0x0000000000B10000-0x0000000000B3C000-memory.dmp
memory/1672-88-0x0000000000000000-mapping.dmp
memory/1116-90-0x0000000000000000-mapping.dmp
memory/1672-91-0x0000000000B10000-0x0000000000B3C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-20 02:58
Reported
2022-04-20 03:16
Platform
win10v2004-20220414-en
Max time kernel
127s
Max time network
155s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 456 set thread context of 996 | N/A | C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 996 -ip 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 2100
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.96.0:443 | freegeoip.app | tcp |
| US | 20.189.173.13:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 95.101.78.209:80 | tcp |
Files
memory/4432-130-0x0000000000000000-mapping.dmp
memory/456-131-0x00000000008B0000-0x00000000008DC000-memory.dmp
memory/4380-132-0x0000000000000000-mapping.dmp
memory/3976-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml
| MD5 | 57e80c1cd83971b009db6462dec561e8 |
| SHA1 | 9890fc3fc7b93bb9dce0c624486307cff2a26927 |
| SHA256 | e6cb647c0aee80cbac58f101ba47620657c8cd58f9a0aa91c6f8a4466e4ebc6f |
| SHA512 | acc99eb56c615f669ef933c34ae86a1ba41a5ea5108a211de14107293d0bea7eb45e317bdb9b833b1262a1022fa4aa4462f4f3c6a19fa9481320dbb75ee41dd6 |
memory/996-135-0x0000000000000000-mapping.dmp
memory/996-136-0x0000000000400000-0x0000000000476000-memory.dmp
memory/996-137-0x0000000004ED0000-0x0000000004F6C000-memory.dmp
memory/996-138-0x0000000004F70000-0x0000000004FD6000-memory.dmp
memory/996-139-0x0000000006420000-0x00000000069C4000-memory.dmp