Analysis
-
max time kernel
106s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
1XrdOdPqR6jBVMu.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1XrdOdPqR6jBVMu.exe
Resource
win10v2004-20220414-en
General
-
Target
1XrdOdPqR6jBVMu.exe
-
Size
507KB
-
MD5
e5a4d65f4234001c405be18760073317
-
SHA1
9aaf994aa6cee464fde60749d9a1aba698199b41
-
SHA256
021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354
-
SHA512
27892695e298ac1be6f982b97be4a9da56ed31031c3cb83d8e98815d1676442672aa3626a8a14782e638fa988a96dcb3229c72356374f7193fc8ee7469fdcc69
Malware Config
Extracted
matiex
Protocol: smtp- Host:
kin.hosting-mexico.net - Port:
26 - Username:
rm@timbradompresarial.com - Password:
VN=m3-pILg4f
Signatures
-
Matiex Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1196-62-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1196-63-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1196-64-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1196-65-0x000000000046D49E-mapping.dmp family_matiex behavioral1/memory/1196-67-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex behavioral1/memory/1196-69-0x0000000000400000-0x0000000000472000-memory.dmp family_matiex -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
1XrdOdPqR6jBVMu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1XrdOdPqR6jBVMu.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1XrdOdPqR6jBVMu.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1XrdOdPqR6jBVMu.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 4 checkip.dyndns.org 8 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1XrdOdPqR6jBVMu.exedescription pid process target process PID 240 set thread context of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1944 1196 WerFault.exe 1XrdOdPqR6jBVMu.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1XrdOdPqR6jBVMu.exepid process 240 1XrdOdPqR6jBVMu.exe 240 1XrdOdPqR6jBVMu.exe 240 1XrdOdPqR6jBVMu.exe 240 1XrdOdPqR6jBVMu.exe 240 1XrdOdPqR6jBVMu.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1XrdOdPqR6jBVMu.exe1XrdOdPqR6jBVMu.exedescription pid process Token: SeDebugPrivilege 240 1XrdOdPqR6jBVMu.exe Token: SeDebugPrivilege 1196 1XrdOdPqR6jBVMu.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1XrdOdPqR6jBVMu.exe1XrdOdPqR6jBVMu.exedescription pid process target process PID 240 wrote to memory of 1272 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1272 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1272 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1272 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1624 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1624 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1624 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1624 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1320 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1320 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1320 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1320 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 240 wrote to memory of 1196 240 1XrdOdPqR6jBVMu.exe 1XrdOdPqR6jBVMu.exe PID 1196 wrote to memory of 1944 1196 1XrdOdPqR6jBVMu.exe WerFault.exe PID 1196 wrote to memory of 1944 1196 1XrdOdPqR6jBVMu.exe WerFault.exe PID 1196 wrote to memory of 1944 1196 1XrdOdPqR6jBVMu.exe WerFault.exe PID 1196 wrote to memory of 1944 1196 1XrdOdPqR6jBVMu.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
1XrdOdPqR6jBVMu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1XrdOdPqR6jBVMu.exe -
outlook_win_path 1 IoCs
Processes:
1XrdOdPqR6jBVMu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1XrdOdPqR6jBVMu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 17803⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-54-0x00000000001B0000-0x0000000000236000-memory.dmpFilesize
536KB
-
memory/240-55-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/240-56-0x00000000004C0000-0x00000000004CA000-memory.dmpFilesize
40KB
-
memory/240-57-0x0000000004E40000-0x0000000004EBC000-memory.dmpFilesize
496KB
-
memory/240-58-0x00000000050F0000-0x000000000518C000-memory.dmpFilesize
624KB
-
memory/1196-59-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-60-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-62-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-63-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-64-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-65-0x000000000046D49E-mapping.dmp
-
memory/1196-67-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1196-69-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1944-71-0x0000000000000000-mapping.dmp