Analysis
-
max time kernel
181s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe
Resource
win10v2004-20220414-en
General
-
Target
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe
-
Size
1023KB
-
MD5
e1f4f160517e085442d10fc35b0dfb23
-
SHA1
bf32b3506630ee1865961febbd44ac6c8581e549
-
SHA256
d1f8714f2ba5d192baddc1b4e254b49b538c8527419d2250b4d33730629d148e
-
SHA512
a2843f01d9ff2f050b1b362122a9bdf822ce53396ba416ed057c7ae848f5a143d6f36c9cb6d8418b00ce751518aa41b1429fd46fdcb618ae195d3c935d724809
Malware Config
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
info@bilgitekdagitim.com - Password:
italik2015
Signatures
-
Matiex Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1748-137-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 checkip.dyndns.org 35 freegeoip.app 36 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription pid process target process PID 1860 set thread context of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1764 1748 WerFault.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription pid process Token: SeDebugPrivilege 1748 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription pid process target process PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe PID 1860 wrote to memory of 1748 1860 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
outlook_office_path 1 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe -
outlook_win_path 1 IoCs
Processes:
T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe"C:\Users\Admin\AppData\Local\Temp\T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe"C:\Users\Admin\AppData\Local\Temp\T.HALK BANKASI A.S. 31..07.2020 - 04.08.2020 Hesap Ekstresi.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 20203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1748 -ip 17481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-136-0x0000000000000000-mapping.dmp
-
memory/1748-137-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1748-138-0x00000000054A0000-0x0000000005506000-memory.dmpFilesize
408KB
-
memory/1860-130-0x0000000000D50000-0x0000000000E56000-memory.dmpFilesize
1.0MB
-
memory/1860-131-0x0000000005790000-0x000000000582C000-memory.dmpFilesize
624KB
-
memory/1860-132-0x0000000005E50000-0x00000000063F4000-memory.dmpFilesize
5.6MB
-
memory/1860-133-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/1860-134-0x0000000005880000-0x000000000588A000-memory.dmpFilesize
40KB
-
memory/1860-135-0x00000000059E0000-0x0000000005A36000-memory.dmpFilesize
344KB