matiex | 5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b

Analysis

max time kernel
45s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea3b43e8a8ce761479e26f94ccf9bd5.exe
Size

8.8MB
MD5

1ea3b43e8a8ce761479e26f94ccf9bd5
SHA1

5936e36c3dd39216803c72e0841da6f6df256291
SHA256

5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b
SHA512

c3bfcb88839ee2d3eedda32fbdd72dbc6b29ccf8217a265eb3edd19a0b4259a273343035296ac8b34d72bcdcd28697dee509107eb99f8cd6a59bb046dbee4e59
SSDEEP

196608:dCdbOITPSUUpIS9u/pRDXvQhAJ4TsHhGgXZQWYhr5bi:WjTPlcI1XDXv8A2TsBGgX

Score

10^/10

matiex mercurialgrabber collection keylogger spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/835255995735343134/XNe_EsIHeOwVdqPUaV7pv4uxkib5RHnv_Tn6JCr4hEBupeIfyQN2tRINJsXKij_tI_Ec

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
behavioral1/memory/948-70-0x0000000000E20000-0x0000000000E96000-memory.dmp	family_matiex
\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex
\Users\Admin\AppData\Local\Temp\ffmpeg.exe	family_matiex

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Executes dropped EXE 4 IoCs

Processes:

msvcp140.exevcruntime140.exeffmpeg.exemodest-menu.exe

pid process

1528 msvcp140.exe
1104 vcruntime140.exe
948 ffmpeg.exe
112 modest-menu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1648 cmd.exe
Drops startup file 1 IoCs

Processes:

ffmpeg.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%nmoufstr%.url ffmpeg.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1764 WerFault.exe
1764 WerFault.exe
1764 WerFault.exe
1764 WerFault.exe
1764 WerFault.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1528	msvcp140.exe
1104	vcruntime140.exe
948	ffmpeg.exe
112	modest-menu.exe

pid	process
1648	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%nmoufstr%.url	ffmpeg.exe

pid	process
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ffmpeg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ffmpeg.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ffmpeg.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ffmpeg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 checkip.dyndns.org
18 freegeoip.app
19 freegeoip.app
4 ip4.seeip.org
5 ip4.seeip.org
10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1924 1104 WerFault.exe vcruntime140.exe
1764 948 WerFault.exe ffmpeg.exe

flow	ioc
14	checkip.dyndns.org
18	freegeoip.app
19	freegeoip.app
4	ip4.seeip.org
5	ip4.seeip.org
10	ip-api.com

pid	pid_target	process	target process
1924	1104	WerFault.exe	vcruntime140.exe
1764	948	WerFault.exe	ffmpeg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vcruntime140.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	vcruntime140.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vcruntime140.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vcruntime140.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	vcruntime140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	vcruntime140.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	vcruntime140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcruntime140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcruntime140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vcruntime140.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1676 PING.EXE
1696 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1ea3b43e8a8ce761479e26f94ccf9bd5.exemodest-menu.exe

pid process

1424 1ea3b43e8a8ce761479e26f94ccf9bd5.exe
1424 1ea3b43e8a8ce761479e26f94ccf9bd5.exe
112 modest-menu.exe
112 modest-menu.exe

pid	process
1676	PING.EXE
1696	PING.EXE

pid	process
1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe
1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe
112	modest-menu.exe
112	modest-menu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1ea3b43e8a8ce761479e26f94ccf9bd5.exemodest-menu.exevcruntime140.exeffmpeg.exe

description	pid	process
Token: SeDebugPrivilege	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe
Token: SeDebugPrivilege	112	modest-menu.exe
Token: SeDebugPrivilege	1104	vcruntime140.exe
Token: SeDebugPrivilege	948	ffmpeg.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1ea3b43e8a8ce761479e26f94ccf9bd5.execmd.exevcruntime140.exeffmpeg.exe

description	pid	process	target process
PID 1424 wrote to memory of 1528	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	msvcp140.exe
PID 1424 wrote to memory of 1528	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	msvcp140.exe
PID 1424 wrote to memory of 1528	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	msvcp140.exe
PID 1424 wrote to memory of 1528	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	msvcp140.exe
PID 1424 wrote to memory of 1104	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	vcruntime140.exe
PID 1424 wrote to memory of 1104	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	vcruntime140.exe
PID 1424 wrote to memory of 1104	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	vcruntime140.exe
PID 1424 wrote to memory of 948	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	ffmpeg.exe
PID 1424 wrote to memory of 948	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	ffmpeg.exe
PID 1424 wrote to memory of 948	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	ffmpeg.exe
PID 1424 wrote to memory of 948	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	ffmpeg.exe
PID 1424 wrote to memory of 112	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	modest-menu.exe
PID 1424 wrote to memory of 112	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	modest-menu.exe
PID 1424 wrote to memory of 112	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	modest-menu.exe
PID 1424 wrote to memory of 1648	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	cmd.exe
PID 1424 wrote to memory of 1648	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	cmd.exe
PID 1424 wrote to memory of 1648	1424	1ea3b43e8a8ce761479e26f94ccf9bd5.exe	cmd.exe
PID 1648 wrote to memory of 1676	1648	cmd.exe	PING.EXE
PID 1648 wrote to memory of 1676	1648	cmd.exe	PING.EXE
PID 1648 wrote to memory of 1676	1648	cmd.exe	PING.EXE
PID 1648 wrote to memory of 1696	1648	cmd.exe	PING.EXE
PID 1648 wrote to memory of 1696	1648	cmd.exe	PING.EXE
PID 1648 wrote to memory of 1696	1648	cmd.exe	PING.EXE
PID 1104 wrote to memory of 1924	1104	vcruntime140.exe	WerFault.exe
PID 1104 wrote to memory of 1924	1104	vcruntime140.exe	WerFault.exe
PID 1104 wrote to memory of 1924	1104	vcruntime140.exe	WerFault.exe
PID 948 wrote to memory of 1764	948	ffmpeg.exe	WerFault.exe
PID 948 wrote to memory of 1764	948	ffmpeg.exe	WerFault.exe
PID 948 wrote to memory of 1764	948	ffmpeg.exe	WerFault.exe
PID 948 wrote to memory of 1764	948	ffmpeg.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

ffmpeg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ffmpeg.exe

outlook_win_path 1 IoCs

Processes:

ffmpeg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ffmpeg.exe

C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe
"C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
"C:\Users\Admin\AppData\Local\Temp\msvcp140.exe"
2⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
"C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1104 -s 1808
3⤵
- Program crash
PID:1924

C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
"C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1828
3⤵
- Loads dropped DLL
- Program crash
PID:1764

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1ea3b43e8a8ce761479e26f94ccf9bd5.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 100
3⤵
- Runs ping.exe
PID:1676

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 900
3⤵
- Runs ping.exe
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
Filesize
8.7MB

MD5
13e5efd3938a8fedcfb0820e5593dc4e

SHA1
3376481dda6c0349a2a377a98434b30d9f2bde20

SHA256
e56c11e2ca383b47312ffe202c0fb7defb89bf8b303d67359a282f0a994ca92c

SHA512
d944adc95fc8230a11724e355ea8ac8ddfaf8373f5a7ab622ac9c7015bd1abb0aca64b9ead957f83994a73000cf2856f80bb61f944334d3b09b0de229d1452cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
Filesize
8.7MB

MD5
13e5efd3938a8fedcfb0820e5593dc4e

SHA1
3376481dda6c0349a2a377a98434b30d9f2bde20

SHA256
e56c11e2ca383b47312ffe202c0fb7defb89bf8b303d67359a282f0a994ca92c

SHA512
d944adc95fc8230a11724e355ea8ac8ddfaf8373f5a7ab622ac9c7015bd1abb0aca64b9ead957f83994a73000cf2856f80bb61f944334d3b09b0de229d1452cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
Filesize
8KB

MD5
324c2e555431e860fac2b2bfc04adb1d

SHA1
c1f4215f0452f1d96c92ee324bc2cef999294874

SHA256
cb2079641bb1bac84ed28836bb03817e09017553e412e26d166673459ad4c688

SHA512
07fac78b65341498eaea79e46bdeed74d516db58d66c03b6a5e7fb0ae5d99cf9d4255472fcfed13a14d3b2734b602f95e84796a761c5231a418a137d3fbdc500

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.exe
Filesize
8KB

MD5
324c2e555431e860fac2b2bfc04adb1d

SHA1
c1f4215f0452f1d96c92ee324bc2cef999294874

SHA256
cb2079641bb1bac84ed28836bb03817e09017553e412e26d166673459ad4c688

SHA512
07fac78b65341498eaea79e46bdeed74d516db58d66c03b6a5e7fb0ae5d99cf9d4255472fcfed13a14d3b2734b602f95e84796a761c5231a418a137d3fbdc500

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
Filesize
41KB

MD5
458168047894c09ae76b0add79c7122d

SHA1
4e291744275e8e9006c15d03489e0b252592a817

SHA256
99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949

SHA512
fcdad8b12068cd6f1da8a6ab1cab610aa383a1f86aaf4523122e3ce0fd9ab7315fc6c239259860ab13dd83342c75c7aa18c997bc7eaefa445a77bdb7eb14ff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.exe
Filesize
41KB

MD5
458168047894c09ae76b0add79c7122d

SHA1
4e291744275e8e9006c15d03489e0b252592a817

SHA256
99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949

SHA512
fcdad8b12068cd6f1da8a6ab1cab610aa383a1f86aaf4523122e3ce0fd9ab7315fc6c239259860ab13dd83342c75c7aa18c997bc7eaefa445a77bdb7eb14ff61

Download Submit
\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
\Users\Admin\AppData\Local\Temp\ffmpeg.exe
Filesize
448KB

MD5
78942c6e318b0c460c37069695742d4a

SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5

SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c

SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d

Download Submit
memory/112-81-0x000000001B716000-0x000000001B735000-memory.dmp

Filesize
124KB

Download
memory/112-73-0x0000000000E50000-0x000000000170A000-memory.dmp

Filesize
8.7MB

Download
memory/112-67-0x0000000000000000-mapping.dmp

Download
memory/112-76-0x000000001B716000-0x000000001B735000-memory.dmp

Filesize
124KB

Download
memory/948-70-0x0000000000E20000-0x0000000000E96000-memory.dmp

Filesize
472KB

Download
memory/948-64-0x0000000000000000-mapping.dmp

Download
memory/1104-60-0x0000000000000000-mapping.dmp

Download
memory/1104-63-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/1424-74-0x0000000002996000-0x00000000029B5000-memory.dmp

Filesize
124KB

Download
memory/1424-54-0x0000000000960000-0x0000000001238000-memory.dmp

Filesize
8.8MB

Download
memory/1424-56-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/1424-55-0x0000000002996000-0x00000000029B5000-memory.dmp

Filesize
124KB

Download
memory/1528-71-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1528-78-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1528-57-0x0000000000000000-mapping.dmp

Download
memory/1648-72-0x0000000000000000-mapping.dmp

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1696-77-0x0000000000000000-mapping.dmp

Download
memory/1764-82-0x0000000000000000-mapping.dmp

Download
memory/1924-80-0x0000000000000000-mapping.dmp

Download