Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:43
Static task
static1
Behavioral task
behavioral1
Sample
URGENT.PO.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
URGENT.PO.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
URGENT.PO.pdf.exe
-
Size
647KB
-
MD5
c934ff92eb72cb2a4a7e3beebe46c07c
-
SHA1
3cede206bd43133a07c5ef67281b922b58f28d8b
-
SHA256
45a2796fe63b4de3b22f992d5259ca8efdf22d33670c5446a71d288d9f182ef5
-
SHA512
714df13bd235e92285576f32133d0cb1fdb8fc0c68ea3db030984f957a5d583c44f14b89b05eafff07a9e37aecdd74768424e89f1f391c34319d0637b74ef96f
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
infokingking88@yandex.ru - Password:
kingmoney12345
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4892-134-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 checkip.dyndns.org 39 freegeoip.app 40 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
URGENT.PO.pdf.exedescription pid process target process PID 2116 set thread context of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
URGENT.PO.pdf.exepid process 2116 URGENT.PO.pdf.exe 2116 URGENT.PO.pdf.exe 2116 URGENT.PO.pdf.exe 2116 URGENT.PO.pdf.exe 2116 URGENT.PO.pdf.exe 2116 URGENT.PO.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
URGENT.PO.pdf.exeURGENT.PO.pdf.exedescription pid process Token: SeDebugPrivilege 2116 URGENT.PO.pdf.exe Token: SeDebugPrivilege 4892 URGENT.PO.pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
URGENT.PO.pdf.exedescription pid process target process PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe PID 2116 wrote to memory of 4892 2116 URGENT.PO.pdf.exe URGENT.PO.pdf.exe -
outlook_office_path 1 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe -
outlook_win_path 1 IoCs
Processes:
URGENT.PO.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URGENT.PO.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\URGENT.PO.pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT.PO.pdf.exe.logFilesize
611B
MD5bceb1b24038a079a8046db250ce33039
SHA195d2a21b00e5c127f023d2950afe052d2acba572
SHA256d5237a1aac346aaff3cedaca0a567afa529b84a21676e4c7017c9f87cfb32d57
SHA512182dc30cd1e600da9b7ea1ca12860fd82237b04de293899d19ab7edb8b2bcdb37e30d387bbdbb54acdbecdb8200f5a39d417abd91d2b4c11fd126a9e4d0f050e
-
memory/2116-130-0x0000000000F20000-0x0000000000FC8000-memory.dmpFilesize
672KB
-
memory/2116-131-0x00000000081B0000-0x000000000824C000-memory.dmpFilesize
624KB
-
memory/2116-132-0x00000000082F0000-0x0000000008382000-memory.dmpFilesize
584KB
-
memory/4892-133-0x0000000000000000-mapping.dmp
-
memory/4892-134-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/4892-136-0x0000000005440000-0x00000000059E4000-memory.dmpFilesize
5.6MB
-
memory/4892-137-0x0000000004E90000-0x0000000004EF6000-memory.dmpFilesize
408KB
-
memory/4892-138-0x0000000006720000-0x00000000068E2000-memory.dmpFilesize
1.8MB
-
memory/4892-139-0x00000000065A0000-0x00000000065AA000-memory.dmpFilesize
40KB