Analysis
-
max time kernel
102s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 17:10
Behavioral task
behavioral1
Sample
0x000a000000012329-65.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0x000a000000012329-65.exe
Resource
win10v2004-20220812-en
General
-
Target
0x000a000000012329-65.exe
-
Size
448KB
-
MD5
78942c6e318b0c460c37069695742d4a
-
SHA1
fc31e2c1887f95d19d8331ff0945688c7fec32c5
-
SHA256
c749d39cf57c5ffb8ed18aaf961ad571e0a698c424ec07bf6c9fad3ae407425c
-
SHA512
0bcf7dc7e7a2354b0a23e60ec477adf8003a22d7833c302fc7bceb72d59281bbec3d225c01b21888cd01310702bec12d08e3d4f283abd3d0c607619bf9bd9f8d
-
SSDEEP
6144:BewTv689RF6ySday9pEuDi3wsPxdfMcGBfU/:nTv689RFCdaQEuDwPzfMzBfE
Malware Config
Signatures
-
Matiex Main payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4992-132-0x0000000000460000-0x00000000004D6000-memory.dmp family_matiex -
Drops startup file 1 IoCs
Processes:
0x000a000000012329-65.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%nmoufstr%.url 0x000a000000012329-65.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
0x000a000000012329-65.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000a000000012329-65.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000a000000012329-65.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000a000000012329-65.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1424 4992 WerFault.exe 0x000a000000012329-65.exe -
Modifies registry class 5 IoCs
Processes:
0x000a000000012329-65.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\shell\open\command 0x000a000000012329-65.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings 0x000a000000012329-65.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\shell 0x000a000000012329-65.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\shell\open 0x000a000000012329-65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\shell\open\command\ 0x000a000000012329-65.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0x000a000000012329-65.exedescription pid process Token: SeDebugPrivilege 4992 0x000a000000012329-65.exe -
outlook_office_path 1 IoCs
Processes:
0x000a000000012329-65.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000a000000012329-65.exe -
outlook_win_path 1 IoCs
Processes:
0x000a000000012329-65.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0x000a000000012329-65.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000012329-65.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000012329-65.exe"1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 21242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4992 -ip 49921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4992-132-0x0000000000460000-0x00000000004D6000-memory.dmpFilesize
472KB
-
memory/4992-133-0x0000000004E40000-0x0000000004EDC000-memory.dmpFilesize
624KB
-
memory/4992-134-0x0000000005490000-0x0000000005A34000-memory.dmpFilesize
5.6MB
-
memory/4992-135-0x0000000004F50000-0x0000000004FB6000-memory.dmpFilesize
408KB