Analysis
-
max time kernel
168s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe
Resource
win7-20220414-en
General
-
Target
7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe
-
Size
187KB
-
MD5
3f6af7853bb4ccf152c7034aa908fa71
-
SHA1
698a08dc0ae407391b20b304f49e09bfd29c4193
-
SHA256
7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63
-
SHA512
2cfc51f46c0e97d1b28f9762fb7843c5bcbab8f01fadbc19c0760dea12391c95f6f7874ff29732bbaeec6eca251c15941d6e19152dcae024dec19d1d4675ec26
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Goodness123x
Signatures
-
Matiex Main Payload 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\ab.exe family_matiex \Users\Admin\AppData\Local\Temp\ab.exe family_matiex \Users\Admin\AppData\Local\Temp\ab.exe family_matiex \Users\Admin\AppData\Local\Temp\ab.exe family_matiex C:\Users\Admin\AppData\Local\Temp\ab.exe family_matiex C:\Users\Admin\AppData\Local\Temp\ab.exe family_matiex behavioral1/memory/1320-64-0x0000000000840000-0x00000000008B8000-memory.dmp family_matiex -
Executes dropped EXE 1 IoCs
Processes:
ab.exepid process 1320 ab.exe -
Loads dropped DLL 4 IoCs
Processes:
7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exepid process 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
ab.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 ab.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 ab.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ab.exedescription pid process Token: SeDebugPrivilege 1320 ab.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1756 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exedescription pid process target process PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe PID 1876 wrote to memory of 1320 1876 7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe ab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe"C:\Users\Admin\AppData\Local\Temp\7ab64e35c5907423159e5257e38154b671c88b9b96808ae73c8dff6b9ae9ed63.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\ab.exe"C:\Users\Admin\AppData\Local\Temp\ab.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
C:\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
C:\Users\Admin\AppData\Local\Temp\pic.jpgFilesize
766B
MD5dcec80e653decab1b30a7d3f18eddf74
SHA12545818359c1c97f5fa0103462956ff2c3d569b4
SHA2562579763cf6a501f2e4d3fff981cb7531b934f76ae7e479703fd0fd80f3906afb
SHA5123330c807c99729b870ba0f9058d3c23a3dc8411bc5085f8a144a5959f7125c396f4e6b30ed5af2430d2c5bdfcc4ec3c8099b108ee7830931fa43c4387b78397b
-
\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
\Users\Admin\AppData\Local\Temp\ab.exeFilesize
454KB
MD5c3708a21241b7b529452b90d104e2cbf
SHA1b97239286634751f45fa86cc357690480b2215f8
SHA256f1da6dd79e65bc2ce30541256889af3f8916345debc3b1c4dfef918837d33f08
SHA512a7e757f3170ea73b1db42748cc76d5012b248ec6b3a44da7c59293878600bbece5f890a291b8d3385ee40d99e45e83255dbb43cb21d8b9dae382ea79a232e497
-
memory/1320-60-0x0000000000000000-mapping.dmp
-
memory/1320-64-0x0000000000840000-0x00000000008B8000-memory.dmpFilesize
480KB
-
memory/1876-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB