Analysis
-
max time kernel
205s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File.exe
Resource
win10v2004-20220414-en
General
-
Target
File.exe
-
Size
693KB
-
MD5
c66a781c007bb89b164c49068e8a5d58
-
SHA1
fb6cef4cbcdb878b0b95a7fe0850832010d2f2e9
-
SHA256
f2c8e60f6dea2f01ded10eed11783cd5173650bbc6e14d8ec891f441fea26b42
-
SHA512
805e0cf784827848a5c1e60d2e9fe032cc4edf7b5677cf2f93ec21d8e499815fc16d8b1b70a29ae7e22481f6e2a5e354d5cffe969a435574431fad8ae998bd43
Malware Config
Extracted
matiex
Protocol: smtp- Host:
SMTP.gmail.com - Port:
587 - Username:
officialmarc54@gmail.com - Password:
blessmelord
Signatures
-
Matiex Main Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-58-0x0000000001D70000-0x0000000001DE0000-memory.dmp family_matiex behavioral1/memory/1756-62-0x0000000001D70000-0x0000000001DE0000-memory.dmp family_matiex -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Reg.desktop.vbs notepad.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 freegeoip.app 9 freegeoip.app 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File.exedescription pid process target process PID 1312 set thread context of 1756 1312 File.exe File.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
File.exeFile.exepid process 1312 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe 1264 File.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
File.exepid process 1312 File.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
File.exedescription pid process Token: SeDebugPrivilege 1756 File.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
File.exedescription pid process target process PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1796 1312 File.exe notepad.exe PID 1312 wrote to memory of 1756 1312 File.exe File.exe PID 1312 wrote to memory of 1756 1312 File.exe File.exe PID 1312 wrote to memory of 1756 1312 File.exe File.exe PID 1312 wrote to memory of 1756 1312 File.exe File.exe PID 1312 wrote to memory of 1264 1312 File.exe File.exe PID 1312 wrote to memory of 1264 1312 File.exe File.exe PID 1312 wrote to memory of 1264 1312 File.exe File.exe PID 1312 wrote to memory of 1264 1312 File.exe File.exe -
outlook_office_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
outlook_win_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe" 2 1756 71316942⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1264-59-0x0000000000000000-mapping.dmp
-
memory/1264-64-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1312-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1312-60-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1756-56-0x00000000004EBF90-mapping.dmp
-
memory/1756-58-0x0000000001D70000-0x0000000001DE0000-memory.dmpFilesize
448KB
-
memory/1756-62-0x0000000001D70000-0x0000000001DE0000-memory.dmpFilesize
448KB
-
memory/1796-55-0x0000000000000000-mapping.dmp