Analysis
-
max time kernel
145s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
new PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
new PO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
req.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
req.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
1.6MB
-
MD5
e34037661a1608c722e5264797b2eecf
-
SHA1
2c02034a6d91d9e2b21504a4bec82ec36d7bdd5d
-
SHA256
fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0
-
SHA512
4fec9aa1afe6a414a18998dd2bb867599330baef5fce02f553823f372b7d81a4006287daefc96a8fa197fe579989ec49d1c73c5034d1c48317e3f4d70e5d44df
Malware Config
Extracted
matiex
Protocol: smtp- Host:
mail.indiaflanges.com - Port:
587 - Username:
mum@indiaflanges.com - Password:
indflng&#%321
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5080-152-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO.exe\"" PO.exe -
Drops startup file 2 IoCs
Processes:
PO.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.exe PO.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.exe PO.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PO.exe" PO.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2164 set thread context of 5080 2164 PO.exe PO.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 648 5080 WerFault.exe PO.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exePO.exepid process 3892 powershell.exe 3892 powershell.exe 2164 PO.exe 2164 PO.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exePO.exePO.exedescription pid process Token: SeDebugPrivilege 3892 powershell.exe Token: SeDebugPrivilege 2164 PO.exe Token: SeDebugPrivilege 5080 PO.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO.exedescription pid process target process PID 2164 wrote to memory of 3892 2164 PO.exe powershell.exe PID 2164 wrote to memory of 3892 2164 PO.exe powershell.exe PID 2164 wrote to memory of 3892 2164 PO.exe powershell.exe PID 2164 wrote to memory of 1172 2164 PO.exe PO.exe PID 2164 wrote to memory of 1172 2164 PO.exe PO.exe PID 2164 wrote to memory of 1172 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe PID 2164 wrote to memory of 5080 2164 PO.exe PO.exe -
outlook_office_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
outlook_win_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 17123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5080 -ip 50801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.logFilesize
1KB
MD55e0481f7489586ad6ae78d35e8458859
SHA1626e76ef7c85ea8ac9a73cfb13fbf450a4dfd26d
SHA256d2ebbffea1f8401bcbe56591b9e566fd40a55463464ebf30f24c4be8fd2716ec
SHA512b15301044d3862c07cbe72114c7b9792a2d345312236bac51831a6a6bf4a77acbc047b3dff030cff706d5de194679ee33e283b9c9c38c4e7785a653cc4674b36
-
memory/1172-150-0x0000000000000000-mapping.dmp
-
memory/2164-130-0x0000000000590000-0x000000000072E000-memory.dmpFilesize
1.6MB
-
memory/2164-131-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/2164-132-0x00000000057A0000-0x0000000005D44000-memory.dmpFilesize
5.6MB
-
memory/3892-142-0x00000000063A0000-0x00000000063BE000-memory.dmpFilesize
120KB
-
memory/3892-144-0x00000000070E0000-0x00000000070FA000-memory.dmpFilesize
104KB
-
memory/3892-137-0x0000000005660000-0x00000000056C6000-memory.dmpFilesize
408KB
-
memory/3892-138-0x0000000005740000-0x00000000057A6000-memory.dmpFilesize
408KB
-
memory/3892-139-0x0000000005DE0000-0x0000000005DFE000-memory.dmpFilesize
120KB
-
memory/3892-140-0x0000000006D90000-0x0000000006DC2000-memory.dmpFilesize
200KB
-
memory/3892-141-0x00000000704F0000-0x000000007053C000-memory.dmpFilesize
304KB
-
memory/3892-135-0x0000000004EC0000-0x00000000054E8000-memory.dmpFilesize
6.2MB
-
memory/3892-143-0x0000000007720000-0x0000000007D9A000-memory.dmpFilesize
6.5MB
-
memory/3892-136-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/3892-145-0x0000000007150000-0x000000000715A000-memory.dmpFilesize
40KB
-
memory/3892-146-0x0000000007360000-0x00000000073F6000-memory.dmpFilesize
600KB
-
memory/3892-147-0x0000000007310000-0x000000000731E000-memory.dmpFilesize
56KB
-
memory/3892-148-0x0000000007420000-0x000000000743A000-memory.dmpFilesize
104KB
-
memory/3892-149-0x0000000007400000-0x0000000007408000-memory.dmpFilesize
32KB
-
memory/3892-134-0x00000000024A0000-0x00000000024D6000-memory.dmpFilesize
216KB
-
memory/3892-133-0x0000000000000000-mapping.dmp
-
memory/5080-152-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/5080-151-0x0000000000000000-mapping.dmp
-
memory/5080-154-0x0000000006890000-0x0000000006A52000-memory.dmpFilesize
1.8MB