Analysis
-
max time kernel
154s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
Payment receipt.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment receipt.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment receipt.exe
-
Size
3.2MB
-
MD5
c9cf119294179100f7f97a28eb2f2fee
-
SHA1
7e958a40fc753c1417623263fdabbbc38fd7de72
-
SHA256
0d5a1c4bba8bc36879548a2a75bbd81573f9188cc99d414a2d81f2cb7bf75218
-
SHA512
7750149807c03d1d668110eea9081d374e393bb2cdcf6a4358d92be0af3afbf0352a4cdd6cb5e7d691300b918dcbee7faaef6015580bc39032f76168d77df13c
Malware Config
Extracted
matiex
Protocol: smtp- Host:
SMTP.privateemail.com - Port:
587 - Username:
mentorloz@returntolz.com - Password:
Aboki@1234
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/544-151-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment receipt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment receipt.exe\"" Payment receipt.exe -
Drops startup file 2 IoCs
Processes:
Payment receipt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment receipt.exe Payment receipt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment receipt.exe Payment receipt.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Payment receipt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Payment receipt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Payment receipt.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment receipt.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment receipt.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment receipt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment receipt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment receipt.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment receipt.exe" Payment receipt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment receipt.exedescription pid process target process PID 3284 set thread context of 544 3284 Payment receipt.exe Payment receipt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exePayment receipt.exepid process 1976 powershell.exe 1976 powershell.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe 3284 Payment receipt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exePayment receipt.exePayment receipt.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 3284 Payment receipt.exe Token: SeDebugPrivilege 544 Payment receipt.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Payment receipt.exedescription pid process target process PID 3284 wrote to memory of 1976 3284 Payment receipt.exe powershell.exe PID 3284 wrote to memory of 1976 3284 Payment receipt.exe powershell.exe PID 3284 wrote to memory of 1976 3284 Payment receipt.exe powershell.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe PID 3284 wrote to memory of 544 3284 Payment receipt.exe Payment receipt.exe -
outlook_office_path 1 IoCs
Processes:
Payment receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment receipt.exe -
outlook_win_path 1 IoCs
Processes:
Payment receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-150-0x0000000000000000-mapping.dmp
-
memory/544-154-0x0000000006640000-0x000000000664A000-memory.dmpFilesize
40KB
-
memory/544-153-0x0000000006680000-0x0000000006712000-memory.dmpFilesize
584KB
-
memory/544-152-0x00000000067B0000-0x0000000006972000-memory.dmpFilesize
1.8MB
-
memory/544-151-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1976-142-0x00000000061B0000-0x00000000061CE000-memory.dmpFilesize
120KB
-
memory/1976-144-0x0000000006F20000-0x0000000006F3A000-memory.dmpFilesize
104KB
-
memory/1976-138-0x0000000005580000-0x00000000055E6000-memory.dmpFilesize
408KB
-
memory/1976-137-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/1976-139-0x0000000005C10000-0x0000000005C2E000-memory.dmpFilesize
120KB
-
memory/1976-140-0x0000000006BC0000-0x0000000006BF2000-memory.dmpFilesize
200KB
-
memory/1976-141-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/1976-133-0x0000000000000000-mapping.dmp
-
memory/1976-143-0x0000000007560000-0x0000000007BDA000-memory.dmpFilesize
6.5MB
-
memory/1976-136-0x0000000004C40000-0x0000000004C62000-memory.dmpFilesize
136KB
-
memory/1976-145-0x0000000006F90000-0x0000000006F9A000-memory.dmpFilesize
40KB
-
memory/1976-146-0x00000000071A0000-0x0000000007236000-memory.dmpFilesize
600KB
-
memory/1976-147-0x0000000007160000-0x000000000716E000-memory.dmpFilesize
56KB
-
memory/1976-148-0x0000000007260000-0x000000000727A000-memory.dmpFilesize
104KB
-
memory/1976-149-0x0000000007250000-0x0000000007258000-memory.dmpFilesize
32KB
-
memory/1976-135-0x0000000004CB0000-0x00000000052D8000-memory.dmpFilesize
6.2MB
-
memory/1976-134-0x0000000004640000-0x0000000004676000-memory.dmpFilesize
216KB
-
memory/3284-130-0x0000000000230000-0x0000000000574000-memory.dmpFilesize
3.3MB
-
memory/3284-132-0x0000000005660000-0x0000000005C04000-memory.dmpFilesize
5.6MB
-
memory/3284-131-0x0000000004EC0000-0x0000000004F5C000-memory.dmpFilesize
624KB