Analysis
-
max time kernel
149s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 15:48
Static task
static1
Behavioral task
behavioral1
Sample
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe
Resource
win10v2004-20220414-en
General
-
Target
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe
-
Size
579KB
-
MD5
f9061b35c7ed637323aac46c5d15d002
-
SHA1
797b13720bbc9ae30134fb421941e02ba73d7bd4
-
SHA256
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782
-
SHA512
da07e25ae000328dce3ae94e1e8ef7737813767975d400bfceabcc0fb63c75582b274cc07724295e1ff675d9f69c69885946dc276ebd4c8554b4819ce54f2408
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.porkbun.com - Port:
587 - Username:
info@wholesalesltd.xyz - Password:
godisable147
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe family_matiex C:\Users\Admin\AppData\Local\Temp\tmp.exe family_matiex behavioral2/memory/4356-137-0x0000000000160000-0x00000000001D0000-memory.dmp family_matiex -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 4356 tmp.exe 4720 svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
svhost.exetmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 checkip.dyndns.org 52 freegeoip.app 53 freegeoip.app 54 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exedescription pid process target process PID 4352 set thread context of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exepid process 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exesvhost.exetmp.exedescription pid process Token: SeDebugPrivilege 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe Token: SeDebugPrivilege 4720 svhost.exe Token: SeDebugPrivilege 4356 tmp.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.execmd.exedescription pid process target process PID 4352 wrote to memory of 4356 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe tmp.exe PID 4352 wrote to memory of 4356 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe tmp.exe PID 4352 wrote to memory of 4356 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe tmp.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 4720 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe svhost.exe PID 4352 wrote to memory of 2296 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2296 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2296 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2316 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2316 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2316 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 2316 wrote to memory of 3696 2316 cmd.exe reg.exe PID 2316 wrote to memory of 3696 2316 cmd.exe reg.exe PID 2316 wrote to memory of 3696 2316 cmd.exe reg.exe PID 4352 wrote to memory of 2476 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2476 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe PID 4352 wrote to memory of 2476 4352 f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe -
outlook_win_path 1 IoCs
Processes:
svhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe"C:\Users\Admin\AppData\Local\Temp\f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
579KB
MD5f9061b35c7ed637323aac46c5d15d002
SHA1797b13720bbc9ae30134fb421941e02ba73d7bd4
SHA256f9bf4cfd9b01450f92f9b0e1e329fdf4b31b234f60607b626a258aa6cbf40782
SHA512da07e25ae000328dce3ae94e1e8ef7737813767975d400bfceabcc0fb63c75582b274cc07724295e1ff675d9f69c69885946dc276ebd4c8554b4819ce54f2408
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
425KB
MD534e884a790a7ef67f7c61108e2b9a177
SHA16ad5021f86a6d361a9771001a506ff8b8bf1930a
SHA2565f1ce1d8e909e4fc999dd5a1fea71103cff35e075750117c8d9e3ec5045f09f0
SHA51279e5fcd411321f1b09b67cc36a2dbeaf88731bd1ebf41cf53d21ed4d7f476b7193c40c33dcc652d707240ec45818b730732465c2a4a329c8ea7dd4d020aea2e8
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
425KB
MD534e884a790a7ef67f7c61108e2b9a177
SHA16ad5021f86a6d361a9771001a506ff8b8bf1930a
SHA2565f1ce1d8e909e4fc999dd5a1fea71103cff35e075750117c8d9e3ec5045f09f0
SHA51279e5fcd411321f1b09b67cc36a2dbeaf88731bd1ebf41cf53d21ed4d7f476b7193c40c33dcc652d707240ec45818b730732465c2a4a329c8ea7dd4d020aea2e8
-
memory/2296-143-0x0000000000000000-mapping.dmp
-
memory/2316-144-0x0000000000000000-mapping.dmp
-
memory/2476-147-0x0000000000000000-mapping.dmp
-
memory/3696-145-0x0000000000000000-mapping.dmp
-
memory/4352-130-0x00000000006A0000-0x0000000000736000-memory.dmpFilesize
600KB
-
memory/4352-133-0x00000000051E0000-0x0000000005272000-memory.dmpFilesize
584KB
-
memory/4352-132-0x0000000005880000-0x0000000005E24000-memory.dmpFilesize
5.6MB
-
memory/4352-131-0x00000000050A0000-0x000000000513C000-memory.dmpFilesize
624KB
-
memory/4356-134-0x0000000000000000-mapping.dmp
-
memory/4356-138-0x0000000004C30000-0x0000000004C96000-memory.dmpFilesize
408KB
-
memory/4356-137-0x0000000000160000-0x00000000001D0000-memory.dmpFilesize
448KB
-
memory/4356-148-0x0000000006350000-0x0000000006512000-memory.dmpFilesize
1.8MB
-
memory/4356-149-0x0000000006210000-0x000000000621A000-memory.dmpFilesize
40KB
-
memory/4720-139-0x0000000000000000-mapping.dmp