Analysis
-
max time kernel
45s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 05:15
Static task
static1
Behavioral task
behavioral1
Sample
9de7dfa28d29ec429826e3b47b99abf8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9de7dfa28d29ec429826e3b47b99abf8.exe
Resource
win10v2004-20220414-en
General
-
Target
9de7dfa28d29ec429826e3b47b99abf8.exe
-
Size
435KB
-
MD5
9de7dfa28d29ec429826e3b47b99abf8
-
SHA1
74be01d8ee6e05afa47f770c25f5c8d1bcb0bac5
-
SHA256
18ea09f41d879689cd0da5ba64dd8c4a087702801e618b942a65c0e76c0447ca
-
SHA512
2349642083b8e7d3d86f49957a4e436493f3b401dcf5b59a5a8b74c33af745b4c0e25f785ed7ed9f111f5617c8e65bc78e560c9477ee069c4249be3446e526ef
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Megatrone1
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-54-0x0000000000DA0000-0x0000000000E14000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9de7dfa28d29ec429826e3b47b99abf8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9de7dfa28d29ec429826e3b47b99abf8.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9de7dfa28d29ec429826e3b47b99abf8.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9de7dfa28d29ec429826e3b47b99abf8.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org 7 freegeoip.app 8 freegeoip.app -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1548 1828 WerFault.exe 9de7dfa28d29ec429826e3b47b99abf8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9de7dfa28d29ec429826e3b47b99abf8.exedescription pid process Token: SeDebugPrivilege 1828 9de7dfa28d29ec429826e3b47b99abf8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9de7dfa28d29ec429826e3b47b99abf8.exedescription pid process target process PID 1828 wrote to memory of 1548 1828 9de7dfa28d29ec429826e3b47b99abf8.exe WerFault.exe PID 1828 wrote to memory of 1548 1828 9de7dfa28d29ec429826e3b47b99abf8.exe WerFault.exe PID 1828 wrote to memory of 1548 1828 9de7dfa28d29ec429826e3b47b99abf8.exe WerFault.exe PID 1828 wrote to memory of 1548 1828 9de7dfa28d29ec429826e3b47b99abf8.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
9de7dfa28d29ec429826e3b47b99abf8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9de7dfa28d29ec429826e3b47b99abf8.exe -
outlook_win_path 1 IoCs
Processes:
9de7dfa28d29ec429826e3b47b99abf8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9de7dfa28d29ec429826e3b47b99abf8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de7dfa28d29ec429826e3b47b99abf8.exe"C:\Users\Admin\AppData\Local\Temp\9de7dfa28d29ec429826e3b47b99abf8.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 17802⤵
- Program crash