Analysis
-
max time kernel
47s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 23:15
Static task
static1
Behavioral task
behavioral1
Sample
kart bilgisizzz.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
kart bilgisizzz.exe
Resource
win10v2004-20220414-en
General
-
Target
kart bilgisizzz.exe
-
Size
547KB
-
MD5
e403224181d35975467c43df34caaf3b
-
SHA1
e2af3fe3b2ff9ed604ea6ca40fc2a7e18fef7f64
-
SHA256
4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1
-
SHA512
59bd3516ff72ba7b990e7d8b1b6951d3f07d8aa2958a7957642c91e2fc19191d577247849eb925bb6f20e6da4575175364d8304e2c49eca0a876a74f5249e392
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1080-60-0x0000000000490000-0x0000000000506000-memory.dmp family_matiex behavioral1/memory/1080-61-0x0000000000490000-0x0000000000506000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kart bilgisizzz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kart bilgisizzz.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kart bilgisizzz.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kart bilgisizzz.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kart bilgisizzz.exedescription pid process target process PID 1932 set thread context of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 280 1080 WerFault.exe kart bilgisizzz.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kart bilgisizzz.exepid process 1932 kart bilgisizzz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kart bilgisizzz.exedescription pid process Token: SeDebugPrivilege 1080 kart bilgisizzz.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
kart bilgisizzz.execmd.exekart bilgisizzz.exedescription pid process target process PID 1932 wrote to memory of 1904 1932 kart bilgisizzz.exe cmd.exe PID 1932 wrote to memory of 1904 1932 kart bilgisizzz.exe cmd.exe PID 1932 wrote to memory of 1904 1932 kart bilgisizzz.exe cmd.exe PID 1932 wrote to memory of 1904 1932 kart bilgisizzz.exe cmd.exe PID 1932 wrote to memory of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe PID 1932 wrote to memory of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe PID 1932 wrote to memory of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe PID 1932 wrote to memory of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe PID 1932 wrote to memory of 1080 1932 kart bilgisizzz.exe kart bilgisizzz.exe PID 1904 wrote to memory of 1068 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 1068 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 1068 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 1068 1904 cmd.exe schtasks.exe PID 1080 wrote to memory of 280 1080 kart bilgisizzz.exe WerFault.exe PID 1080 wrote to memory of 280 1080 kart bilgisizzz.exe WerFault.exe PID 1080 wrote to memory of 280 1080 kart bilgisizzz.exe WerFault.exe PID 1080 wrote to memory of 280 1080 kart bilgisizzz.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
kart bilgisizzz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kart bilgisizzz.exe -
outlook_win_path 1 IoCs
Processes:
kart bilgisizzz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kart bilgisizzz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kart bilgisizzz.exe"C:\Users\Admin\AppData\Local\Temp\kart bilgisizzz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\14f76e838074406fa2328706f33416b2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\14f76e838074406fa2328706f33416b2.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\kart bilgisizzz.exe"C:\Users\Admin\AppData\Local\Temp\kart bilgisizzz.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 11323⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\14f76e838074406fa2328706f33416b2.xmlFilesize
1KB
MD550c7d96141cdd50386ae866b74565f0f
SHA18cbadc1644145bf381f632d52acd1f1c0a5aceb6
SHA25656333f9ef9b66dbbc99f52ad5a04d7e1c3fad175f97a08628b5f4983b46e864d
SHA5120a42b3a240effb667ddccd8d2be0df4ff5c184108c10671b1b482b92ab9c2b51d5bf9930ba68fc74c0ab729846a4e83f5c5f6ef41c5fd0ca270e3d57e447aea7
-
memory/280-62-0x0000000000000000-mapping.dmp
-
memory/1068-56-0x0000000000000000-mapping.dmp
-
memory/1080-57-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1080-55-0x000000000040188B-mapping.dmp
-
memory/1080-60-0x0000000000490000-0x0000000000506000-memory.dmpFilesize
472KB
-
memory/1080-61-0x0000000000490000-0x0000000000506000-memory.dmpFilesize
472KB
-
memory/1904-54-0x0000000000000000-mapping.dmp
-
memory/1932-58-0x000000000036B000-0x0000000000370000-memory.dmpFilesize
20KB