Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 21:30
Static task
static1
Behavioral task
behavioral1
Sample
Tax Invoices IN102738 IN102739 IN102740 (2).exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Tax Invoices IN102738 IN102739 IN102740 (2).exe
Resource
win10v2004-20220414-en
General
-
Target
Tax Invoices IN102738 IN102739 IN102740 (2).exe
-
Size
867KB
-
MD5
1edc97d794a36b1e6c0c4757f56becad
-
SHA1
8ff5c4d412ac10443a79e02f80579c1d5f0c53e2
-
SHA256
d2e9e5d1c73e145f6ca508dd8f1397ea4ce5fa1172468889f65133f0af0d08ea
-
SHA512
e820ea714c71e671557e3e2b32c4c6690cd48f04cd3c5480cf4822a3acb51e522577fc3e500f7fe4b473f7c8a210987b36268ec8bcbe08c8f4766dc3f9876917
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2444-138-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tax Invoices IN102738 IN102739 IN102740 (2).exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tax Invoices IN102738 IN102739 IN102740 (2).exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 81 checkip.dyndns.org 83 freegeoip.app 84 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription pid process target process PID 1004 set thread context of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5024 2444 WerFault.exe Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exepid process 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exeTax Invoices IN102738 IN102739 IN102740 (2).exedescription pid process Token: SeDebugPrivilege 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Token: SeDebugPrivilege 2444 Tax Invoices IN102738 IN102739 IN102740 (2).exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription pid process target process PID 1004 wrote to memory of 3568 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe schtasks.exe PID 1004 wrote to memory of 3568 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe schtasks.exe PID 1004 wrote to memory of 3568 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe schtasks.exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe PID 1004 wrote to memory of 2444 1004 Tax Invoices IN102738 IN102739 IN102740 (2).exe Tax Invoices IN102738 IN102739 IN102740 (2).exe -
outlook_office_path 1 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tax Invoices IN102738 IN102739 IN102740 (2).exe -
outlook_win_path 1 IoCs
Processes:
Tax Invoices IN102738 IN102739 IN102740 (2).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tax Invoices IN102738 IN102739 IN102740 (2).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tax Invoices IN102738 IN102739 IN102740 (2).exe"C:\Users\Admin\AppData\Local\Temp\Tax Invoices IN102738 IN102739 IN102740 (2).exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRRgZe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C08.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Tax Invoices IN102738 IN102739 IN102740 (2).exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 20163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2444 -ip 24441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tax Invoices IN102738 IN102739 IN102740 (2).exe.logFilesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
C:\Users\Admin\AppData\Local\Temp\tmp2C08.tmpFilesize
1KB
MD567589ef7ded77b99dd02d13571db1556
SHA18fef20515b52eedc116d0dbf18675be54e34d1db
SHA256f28f5cf5b04eb54345d4061abd0a0aeed1ccadd650b135bd7188401edf65be24
SHA512aac3900f1f6e72ea03761977548d3aa75d1e577be3ee248c347d4a584def26362853d413db0662ed5f830d65b1f36ab00a63b2c75c879ab8d5ebe1a298dd4c91
-
memory/1004-130-0x00000000006E0000-0x00000000007C2000-memory.dmpFilesize
904KB
-
memory/1004-131-0x0000000007F10000-0x00000000084B4000-memory.dmpFilesize
5.6MB
-
memory/1004-132-0x0000000007B00000-0x0000000007B92000-memory.dmpFilesize
584KB
-
memory/1004-133-0x0000000007AC0000-0x0000000007ACA000-memory.dmpFilesize
40KB
-
memory/1004-134-0x000000000A390000-0x000000000A42C000-memory.dmpFilesize
624KB
-
memory/2444-137-0x0000000000000000-mapping.dmp
-
memory/2444-138-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/2444-140-0x0000000005060000-0x00000000050C6000-memory.dmpFilesize
408KB
-
memory/3568-135-0x0000000000000000-mapping.dmp