Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
Quotation #257&439.exe
Resource
win7-20220414-en
General
-
Target
Quotation #257&439.exe
-
Size
376KB
-
MD5
0ada92dbaeebf340360ac5b3dcf9a459
-
SHA1
6c70fc7a6e3d08f39b5393341290658e8cbba591
-
SHA256
302ef66c9868c12a36517bd2ee12254442b7504d17afdeabdc9264954e19a952
-
SHA512
393fec311d35289126b268b64a249b07885bfa5eacc6d0db58a2e712b09a8b2b9262bba8435f60d460ecf4dde2ab345db5d514e9bb9d95ade30c439428c5ab4d
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
beatexploit@yandex.com - Password:
welcome@100
Signatures
-
Matiex Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-66-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/1100-65-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/1100-64-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/1100-67-0x000000000046FDCE-mapping.dmp family_matiex behavioral1/memory/1100-69-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/1100-71-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Quotation #257&439.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Quotation #257&439.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Quotation #257&439.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 11 freegeoip.app 12 freegeoip.app -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Quotation #257&439.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Quotation #257&439.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Quotation #257&439.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation #257&439.exedescription pid process target process PID 1628 set thread context of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1744 1100 WerFault.exe Quotation #257&439.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Quotation #257&439.exepid process 1628 Quotation #257&439.exe 1628 Quotation #257&439.exe 1628 Quotation #257&439.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Quotation #257&439.exepid process 1100 Quotation #257&439.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation #257&439.exeQuotation #257&439.exedescription pid process Token: SeDebugPrivilege 1628 Quotation #257&439.exe Token: SeDebugPrivilege 1100 Quotation #257&439.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Quotation #257&439.exeQuotation #257&439.exedescription pid process target process PID 1628 wrote to memory of 1864 1628 Quotation #257&439.exe schtasks.exe PID 1628 wrote to memory of 1864 1628 Quotation #257&439.exe schtasks.exe PID 1628 wrote to memory of 1864 1628 Quotation #257&439.exe schtasks.exe PID 1628 wrote to memory of 1864 1628 Quotation #257&439.exe schtasks.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1628 wrote to memory of 1100 1628 Quotation #257&439.exe Quotation #257&439.exe PID 1100 wrote to memory of 1744 1100 Quotation #257&439.exe WerFault.exe PID 1100 wrote to memory of 1744 1100 Quotation #257&439.exe WerFault.exe PID 1100 wrote to memory of 1744 1100 Quotation #257&439.exe WerFault.exe PID 1100 wrote to memory of 1744 1100 Quotation #257&439.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNxuZSpnXyss" /XML "C:\Users\Admin\AppData\Local\Temp\tmp562C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 17203⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp562C.tmpFilesize
1KB
MD577759542ce59ae83c395a9b6f5dd331a
SHA11b9a13e3ae26c6976db0c54b2581a0bbd6d8605f
SHA256813bf6937a557c21e0d5362bb60aa12d5cccffd99cea17e106bbf11fd23c059f
SHA512cdf1d56de8e87c9435ee1e6f4b332f3cec31806c72470c1f3a4d335a72f7db27324e8786cfee18953a28e040290de3040f73b61ace8d71fea127ba663d1d95ef
-
memory/1100-67-0x000000000046FDCE-mapping.dmp
-
memory/1100-64-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-71-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-69-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-62-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-65-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-61-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1100-66-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1628-56-0x0000000000490000-0x000000000049A000-memory.dmpFilesize
40KB
-
memory/1628-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1628-54-0x0000000000C70000-0x0000000000CD4000-memory.dmpFilesize
400KB
-
memory/1628-58-0x00000000005E0000-0x0000000000654000-memory.dmpFilesize
464KB
-
memory/1628-57-0x00000000049F0000-0x0000000004A48000-memory.dmpFilesize
352KB
-
memory/1744-73-0x0000000000000000-mapping.dmp
-
memory/1864-59-0x0000000000000000-mapping.dmp