Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:31
Static task
static1
Behavioral task
behavioral1
Sample
ADHOC RFQ-97571784.exe
Resource
win7-20220414-en
General
-
Target
ADHOC RFQ-97571784.exe
-
Size
752KB
-
MD5
3b6a5dff660d98b9bf28fcd5d405f730
-
SHA1
ff5edd294f28d909cdc7bda80d2c9cdb217684f0
-
SHA256
3cb6e41efa5dff6ef7957b9ae07c6b47f2ec35bc88889424d83ca3e96bcf3922
-
SHA512
3b031fbbbd6921659bd8ca68e50870128cb9e938552b72386c70a7288bf6b03a655da514f033f89d8a461019f8b54deb79a4a6c162989a052bdee81b5273fcee
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.ecg-ingenieria.mx - Port:
26 - Username:
k1@ecg-ingenieria.mx - Password:
l,0lw1B3YNrK
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/316-137-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ADHOC RFQ-97571784.exedescription pid process target process PID 3552 set thread context of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ADHOC RFQ-97571784.exedescription pid process Token: SeDebugPrivilege 316 ADHOC RFQ-97571784.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ADHOC RFQ-97571784.exedescription pid process target process PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe PID 3552 wrote to memory of 316 3552 ADHOC RFQ-97571784.exe ADHOC RFQ-97571784.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe"C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe"C:\Users\Admin\AppData\Local\Temp\ADHOC RFQ-97571784.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADHOC RFQ-97571784.exe.logFilesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
memory/316-136-0x0000000000000000-mapping.dmp
-
memory/316-137-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/316-139-0x0000000005040000-0x00000000050A6000-memory.dmpFilesize
408KB
-
memory/3552-130-0x0000000000EB0000-0x0000000000F74000-memory.dmpFilesize
784KB
-
memory/3552-131-0x0000000005900000-0x000000000599C000-memory.dmpFilesize
624KB
-
memory/3552-132-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/3552-133-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/3552-134-0x00000000059B0000-0x00000000059BA000-memory.dmpFilesize
40KB
-
memory/3552-135-0x0000000005C10000-0x0000000005C66000-memory.dmpFilesize
344KB