Analysis
-
max time kernel
42s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:37
Static task
static1
Behavioral task
behavioral1
Sample
M09080000000.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
M09080000000.exe
Resource
win10v2004-20220414-en
General
-
Target
M09080000000.exe
-
Size
619KB
-
MD5
072c613d1f936ac409e59949503ab55e
-
SHA1
ed85d7ea0a061e9c971cc01ab47efad6028eef76
-
SHA256
90524b90bad8dd82b6b6aa41f4f98211dd5e6d0c9524e72a72e8a1e855b71689
-
SHA512
980517439fdcda8021053ec66a42203f9ec2f2be9e4a3490b120ed964454e74d3a0beea0e10c7f2a8bd2bda6cdbc45624efd5d317cd58fe170151436cb1e6048
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/756-60-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
M09080000000.exedescription pid process target process PID 960 set thread context of 756 960 M09080000000.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1764 756 WerFault.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
M09080000000.exepid process 960 M09080000000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 756 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
M09080000000.exeRegAsm.exedescription pid process target process PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 960 wrote to memory of 756 960 M09080000000.exe RegAsm.exe PID 756 wrote to memory of 1764 756 RegAsm.exe WerFault.exe PID 756 wrote to memory of 1764 756 RegAsm.exe WerFault.exe PID 756 wrote to memory of 1764 756 RegAsm.exe WerFault.exe PID 756 wrote to memory of 1764 756 RegAsm.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\M09080000000.exe"C:\Users\Admin\AppData\Local\Temp\M09080000000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 13363⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-57-0x000000000046DF0E-mapping.dmp
-
memory/756-60-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/960-54-0x0000000000AB0000-0x0000000000B50000-memory.dmpFilesize
640KB
-
memory/960-55-0x0000000000960000-0x00000000009DC000-memory.dmpFilesize
496KB
-
memory/960-56-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/960-58-0x0000000000910000-0x0000000000913000-memory.dmpFilesize
12KB
-
memory/1764-61-0x0000000000000000-mapping.dmp