Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
Iterms.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Iterms.exe
Resource
win10v2004-20220414-en
General
-
Target
Iterms.exe
-
Size
545KB
-
MD5
b1266a94b7dd2553fd9b30c2dfb72ae4
-
SHA1
0cb3165a1741cf80812ae22cccafb1385fcf4324
-
SHA256
cf8207bd6ead9bcadcaaaad2940956f75d90a67daf6ddb8dc1907900645a5f69
-
SHA512
1272483192f36adac3dc5c5feeb0da27456842573e59feb0e36803a17498372ade9c824960c9e2d8368a802ec0208887e1692841f2f76a6220800e18e7eb44e6
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
Ifiiedwin21@gmail.com - Password:
@@@monday
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-139-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Iterms.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Iterms.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Iterms.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Iterms.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Iterms.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Iterms.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 checkip.dyndns.org 31 freegeoip.app 32 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Iterms.exedescription pid process target process PID 408 set thread context of 5032 408 Iterms.exe Iterms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4820 5032 WerFault.exe Iterms.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Iterms.exepid process 408 Iterms.exe 408 Iterms.exe 408 Iterms.exe 408 Iterms.exe 408 Iterms.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Iterms.exeIterms.exedescription pid process Token: SeDebugPrivilege 408 Iterms.exe Token: SeDebugPrivilege 5032 Iterms.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Iterms.exedescription pid process target process PID 408 wrote to memory of 220 408 Iterms.exe schtasks.exe PID 408 wrote to memory of 220 408 Iterms.exe schtasks.exe PID 408 wrote to memory of 220 408 Iterms.exe schtasks.exe PID 408 wrote to memory of 3180 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 3180 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 3180 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe PID 408 wrote to memory of 5032 408 Iterms.exe Iterms.exe -
outlook_office_path 1 IoCs
Processes:
Iterms.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Iterms.exe -
outlook_win_path 1 IoCs
Processes:
Iterms.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Iterms.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Iterms.exe"C:\Users\Admin\AppData\Local\Temp\Iterms.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5999.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Iterms.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Iterms.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 20083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5032 -ip 50321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Iterms.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmp5999.tmpFilesize
1KB
MD5ab9f8a9574d9209cd8666decb37e33cc
SHA1b768b98d37b96bcf5eeeb4bae10589a196b66db2
SHA2562c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704
SHA5125059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70
-
memory/220-135-0x0000000000000000-mapping.dmp
-
memory/408-130-0x0000000000330000-0x00000000003BE000-memory.dmpFilesize
568KB
-
memory/408-131-0x0000000005240000-0x00000000057E4000-memory.dmpFilesize
5.6MB
-
memory/408-132-0x0000000004D70000-0x0000000004E02000-memory.dmpFilesize
584KB
-
memory/408-133-0x0000000004F00000-0x0000000004F0A000-memory.dmpFilesize
40KB
-
memory/408-134-0x0000000008520000-0x00000000085BC000-memory.dmpFilesize
624KB
-
memory/3180-137-0x0000000000000000-mapping.dmp
-
memory/5032-138-0x0000000000000000-mapping.dmp
-
memory/5032-139-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/5032-141-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB