Analysis
-
max time kernel
84s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
Quotation #257&439.exe
Resource
win7-20220414-en
General
-
Target
Quotation #257&439.exe
-
Size
330KB
-
MD5
78ecb4ae45b1ac19a3f0295811eacea0
-
SHA1
3fae2cdcbfa40c6937be2b84e4f0044c9efcacc6
-
SHA256
f8113167cfaf623d5c08b33685577743fb96bd3daca2cd915d8b3efe81ad3a8b
-
SHA512
dea32cc4e7515b271a5ba8094a955577ab3f0f115654afa70e984da104a2061e3016c847952b3a8a57d363b919a61f1a39a2945dab5da9008283bcb1a2f18a8b
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
beatexploit@yandex.com - Password:
welcome@100
Signatures
-
Matiex Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/948-64-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/948-65-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/948-66-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/948-67-0x000000000046FDCE-mapping.dmp family_matiex behavioral1/memory/948-69-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex behavioral1/memory/948-71-0x0000000000400000-0x0000000000474000-memory.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation #257&439.exedescription pid process target process PID 1932 set thread context of 948 1932 Quotation #257&439.exe Quotation #257&439.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1520 948 WerFault.exe Quotation #257&439.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Quotation #257&439.exepid process 1932 Quotation #257&439.exe 1932 Quotation #257&439.exe 1932 Quotation #257&439.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Quotation #257&439.exepid process 948 Quotation #257&439.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation #257&439.exeQuotation #257&439.exedescription pid process Token: SeDebugPrivilege 1932 Quotation #257&439.exe Token: SeDebugPrivilege 948 Quotation #257&439.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Quotation #257&439.exeQuotation #257&439.exedescription pid process target process PID 1932 wrote to memory of 1964 1932 Quotation #257&439.exe schtasks.exe PID 1932 wrote to memory of 1964 1932 Quotation #257&439.exe schtasks.exe PID 1932 wrote to memory of 1964 1932 Quotation #257&439.exe schtasks.exe PID 1932 wrote to memory of 1964 1932 Quotation #257&439.exe schtasks.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 1932 wrote to memory of 948 1932 Quotation #257&439.exe Quotation #257&439.exe PID 948 wrote to memory of 1520 948 Quotation #257&439.exe WerFault.exe PID 948 wrote to memory of 1520 948 Quotation #257&439.exe WerFault.exe PID 948 wrote to memory of 1520 948 Quotation #257&439.exe WerFault.exe PID 948 wrote to memory of 1520 948 Quotation #257&439.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HjFLPuWSHUVJV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE580.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 17603⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE580.tmpFilesize
1KB
MD543f12409530ff471de3d6379bc0d6e34
SHA1da9c05746254231d0d82c319f594767b4664e49c
SHA256d1c3d530c255d2548d437982a644b2458452ca535e88fb3fa24cbad518b31b33
SHA5122641c13b99c151cde33f96aa0638cb462e5d8142a9b788149a5c49710a5b5c49c2387c71a3fa4f9443751ecef0d66f6c86b3e72db978a438aad96d5d5cd6e615
-
memory/948-67-0x000000000046FDCE-mapping.dmp
-
memory/948-66-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-71-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-69-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-62-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-65-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-61-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/948-64-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1520-73-0x0000000000000000-mapping.dmp
-
memory/1932-56-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB
-
memory/1932-55-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1932-54-0x0000000000A20000-0x0000000000A78000-memory.dmpFilesize
352KB
-
memory/1932-58-0x0000000005A50000-0x0000000005AC4000-memory.dmpFilesize
464KB
-
memory/1932-57-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1964-59-0x0000000000000000-mapping.dmp