Analysis
-
max time kernel
60s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
TNT E-Invoice Cosignment Delivery Notification_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TNT E-Invoice Cosignment Delivery Notification_pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
TNT E-Invoice Cosignment Delivery Notification_pdf.exe
-
Size
1.1MB
-
MD5
22e5a3e8fb401981cfdb4bc0c9235e7d
-
SHA1
5a371efcb5183f96f96082b5fefec1e05b84c21f
-
SHA256
b0dd472a02ed67fe15e20e2faa6167d8c1e9d54c9f0abc95a255197bbf0c0264
-
SHA512
d787f86a0ef8da1f29ea3accc3871fd3e78d9f09dccafe58cf13dbbc2a5a19cdfd22001e0417301b9401f6bea79d68c40119aba5a29db9e931ea98e2d294dba3
Malware Config
Signatures
-
Matiex Main Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/852-56-0x0000000001160000-0x00000000011D4000-memory.dmp family_matiex behavioral1/memory/1716-60-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/1716-61-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/1716-63-0x000000000046B6CE-mapping.dmp family_matiex behavioral1/memory/1716-62-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/1716-65-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/1716-67-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
TNT E-Invoice Cosignment Delivery Notification_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TNT E-Invoice Cosignment Delivery Notification_pdf.exe\"" TNT E-Invoice Cosignment Delivery Notification_pdf.exe -
Drops startup file 2 IoCs
Processes:
TNT E-Invoice Cosignment Delivery Notification_pdf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT E-Invoice Cosignment Delivery Notification_pdf.exe TNT E-Invoice Cosignment Delivery Notification_pdf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT E-Invoice Cosignment Delivery Notification_pdf.exe TNT E-Invoice Cosignment Delivery Notification_pdf.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TNT E-Invoice Cosignment Delivery Notification_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\TNT E-Invoice Cosignment Delivery Notification_pdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNT E-Invoice Cosignment Delivery Notification_pdf.exe" TNT E-Invoice Cosignment Delivery Notification_pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT E-Invoice Cosignment Delivery Notification_pdf.exedescription pid process target process PID 852 set thread context of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 868 1716 WerFault.exe caspol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
caspol.exedescription pid process Token: SeDebugPrivilege 1716 caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
TNT E-Invoice Cosignment Delivery Notification_pdf.execaspol.exedescription pid process target process PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 852 wrote to memory of 1716 852 TNT E-Invoice Cosignment Delivery Notification_pdf.exe caspol.exe PID 1716 wrote to memory of 868 1716 caspol.exe WerFault.exe PID 1716 wrote to memory of 868 1716 caspol.exe WerFault.exe PID 1716 wrote to memory of 868 1716 caspol.exe WerFault.exe PID 1716 wrote to memory of 868 1716 caspol.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
outlook_win_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Cosignment Delivery Notification_pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Cosignment Delivery Notification_pdf.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 13243⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-54-0x00000000013B0000-0x00000000014C8000-memory.dmpFilesize
1.1MB
-
memory/852-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/852-56-0x0000000001160000-0x00000000011D4000-memory.dmpFilesize
464KB
-
memory/868-69-0x0000000000000000-mapping.dmp
-
memory/1716-57-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-58-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-60-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-61-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-63-0x000000000046B6CE-mapping.dmp
-
memory/1716-62-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-65-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1716-67-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB