Analysis
-
max time kernel
102s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
0900009090000.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0900009090000.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
0900009090000.exe
-
Size
577KB
-
MD5
a543084b74043d3373fe007ecf2924af
-
SHA1
0b06349a0f26179f6e5e43181e4d248ee8bab127
-
SHA256
6989ffe534c2303d7fcc4f5f8b81515a3d30a53ecb395a935bc46391de88b023
-
SHA512
57af1f424d02c4ba8f66a011b007b559e5cca570d8c3d630415b993544d2caddd9de3fe9ecec4d626142fca884512913ef6c9665b754e6b4a586d70852293a83
Score
10/10
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4192-132-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0900009090000.exedescription pid process target process PID 3384 set thread context of 4192 3384 0900009090000.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2080 4192 WerFault.exe MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0900009090000.exepid process 3384 0900009090000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4192 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0900009090000.exedescription pid process target process PID 3384 wrote to memory of 4192 3384 0900009090000.exe MSBuild.exe PID 3384 wrote to memory of 4192 3384 0900009090000.exe MSBuild.exe PID 3384 wrote to memory of 4192 3384 0900009090000.exe MSBuild.exe PID 3384 wrote to memory of 4192 3384 0900009090000.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 19763⤵
- Program crash
PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4192 -ip 41921⤵PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3384-130-0x0000000000480000-0x00000000004A9000-memory.dmpFilesize
164KB
-
memory/4192-131-0x0000000000000000-mapping.dmp
-
memory/4192-132-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/4192-133-0x0000000005370000-0x000000000540C000-memory.dmpFilesize
624KB
-
memory/4192-134-0x00000000059C0000-0x0000000005F64000-memory.dmpFilesize
5.6MB
-
memory/4192-135-0x0000000005410000-0x0000000005476000-memory.dmpFilesize
408KB