Analysis
-
max time kernel
78s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:43
Static task
static1
Behavioral task
behavioral1
Sample
URGENT.PO.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
URGENT.PO.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
URGENT.PO.pdf.exe
-
Size
647KB
-
MD5
c934ff92eb72cb2a4a7e3beebe46c07c
-
SHA1
3cede206bd43133a07c5ef67281b922b58f28d8b
-
SHA256
45a2796fe63b4de3b22f992d5259ca8efdf22d33670c5446a71d288d9f182ef5
-
SHA512
714df13bd235e92285576f32133d0cb1fdb8fc0c68ea3db030984f957a5d583c44f14b89b05eafff07a9e37aecdd74768424e89f1f391c34319d0637b74ef96f
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
infokingking88@yandex.ru - Password:
kingmoney12345
Signatures
-
Matiex Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-61-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/2032-62-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/2032-63-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/2032-64-0x000000000046BB9E-mapping.dmp family_matiex behavioral1/memory/2032-66-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/2032-68-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
URGENT.PO.pdf.exedescription pid process target process PID 1528 set thread context of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe -
Processes:
URGENT.PO.pdf.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 URGENT.PO.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 URGENT.PO.pdf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
URGENT.PO.pdf.exepid process 1528 URGENT.PO.pdf.exe 1528 URGENT.PO.pdf.exe 1528 URGENT.PO.pdf.exe 1528 URGENT.PO.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
URGENT.PO.pdf.exeURGENT.PO.pdf.exedescription pid process Token: SeDebugPrivilege 1528 URGENT.PO.pdf.exe Token: SeDebugPrivilege 2032 URGENT.PO.pdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
URGENT.PO.pdf.exedescription pid process target process PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 1528 wrote to memory of 2032 1528 URGENT.PO.pdf.exe URGENT.PO.pdf.exe -
outlook_office_path 1 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe -
outlook_win_path 1 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-54-0x0000000000FA0000-0x0000000001048000-memory.dmpFilesize
672KB
-
memory/1528-55-0x0000000000230000-0x0000000000238000-memory.dmpFilesize
32KB
-
memory/1528-56-0x0000000004450000-0x00000000044AA000-memory.dmpFilesize
360KB
-
memory/1528-57-0x0000000000440000-0x00000000004BA000-memory.dmpFilesize
488KB
-
memory/2032-58-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-59-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-61-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-62-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-63-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-64-0x000000000046BB9E-mapping.dmp
-
memory/2032-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-68-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2032-69-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB