4f59429fb16674587e462f66c5732b51d211df9bcce758eec5b31046f05a2d60

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatSploit.exe
Size

1.6MB
MD5

28bb98b32516829a00facf1232514479
SHA1

2c3fe53d4ddaa31bb09d3136ea8102697a0ebcf9
SHA256

6de25bc2a38be29578d61366fd5a789a58896dbe1c467f305f31e289d120e4a5
SHA512

8c121038c006039b057fe424d586647e732ee18f33526d7cee32b955666c0930ce6023cf45cfa2511a765f6c8a1fe0a6f5618bc9d88ae094ed86790edcd8a0ac
SSDEEP

49152:ySIgFm/3uuUX4ykWAfi313LfCzCcwSGO:HIgFmHUGaF3jecSGO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BootsTrapperU.exeMatSploit.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	BootsTrapperU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	MatSploit.exe

Executes dropped EXE 2 IoCs

Processes:

BootsTrapperU.exeMatSploit.exe

pid process

5080 BootsTrapperU.exe
5000 MatSploit.exe
Loads dropped DLL 2 IoCs

Processes:

MatSploit.exe

pid process

5000 MatSploit.exe
5000 MatSploit.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

BootsTrapperU.exe

pid process

5080 BootsTrapperU.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MatSploit.exeBootsTrapperU.exeMatSploit.exe

description pid process

Token: SeDebugPrivilege 1392 MatSploit.exe
Token: SeDebugPrivilege 5080 BootsTrapperU.exe
Token: SeDebugPrivilege 5000 MatSploit.exe

pid	process
5080	BootsTrapperU.exe
5000	MatSploit.exe

pid	process
5000	MatSploit.exe
5000	MatSploit.exe

pid	process
5080	BootsTrapperU.exe

description	pid	process
Token: SeDebugPrivilege	1392	MatSploit.exe
Token: SeDebugPrivilege	5080	BootsTrapperU.exe
Token: SeDebugPrivilege	5000	MatSploit.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

MatSploit.exeBootsTrapperU.exe

description	pid	process	target process
PID 1392 wrote to memory of 5080	1392	MatSploit.exe	BootsTrapperU.exe
PID 1392 wrote to memory of 5080	1392	MatSploit.exe	BootsTrapperU.exe
PID 1392 wrote to memory of 5080	1392	MatSploit.exe	BootsTrapperU.exe
PID 5080 wrote to memory of 5000	5080	BootsTrapperU.exe	MatSploit.exe
PID 5080 wrote to memory of 5000	5080	BootsTrapperU.exe	MatSploit.exe
PID 5080 wrote to memory of 5000	5080	BootsTrapperU.exe	MatSploit.exe

C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
"C:\Users\Admin\AppData\Local\Temp\MatSploit.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe
"C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
"C:\Users\Admin\AppData\Local\Temp\MatSploit.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MatSploit.exe.log
Filesize
2KB

MD5
e3152798ee190e4fc7411c64955c7eed

SHA1
5e6ceb9361df35a5a0fac32b604d3fdd9f65c650

SHA256
bd13a78aa4b2084742da4adf1f239308081ec9f6e47c8ffb070c4a2c0d39a569

SHA512
bdee879b69e620c7927caee863cb7f93fdfad14236b667aef59e1f1c01550fe6d09940ef36961014e8426b8accd91b8ab0c1ff72e492cc745525a652a8833758

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe
Filesize
165KB

MD5
8b57e3af9a6b863fbe0746db752eba75

SHA1
bca3c16f360dc795cb31882c04c9ff0ec4d20511

SHA256
ee6e94dcb0f4bb34d487919faee67b4c178daee696d5bc84b229a24c8cad1c6f

SHA512
1799155f917d2a47691745c71b9e5dcb5b21e05fd5a7ae3105a6375bf2a5b5fdf944fc773177f670ea051bf0098a5c9685e14dba67c676fb0a5cdb51f46e4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe
Filesize
165KB

MD5
8b57e3af9a6b863fbe0746db752eba75

SHA1
bca3c16f360dc795cb31882c04c9ff0ec4d20511

SHA256
ee6e94dcb0f4bb34d487919faee67b4c178daee696d5bc84b229a24c8cad1c6f

SHA512
1799155f917d2a47691745c71b9e5dcb5b21e05fd5a7ae3105a6375bf2a5b5fdf944fc773177f670ea051bf0098a5c9685e14dba67c676fb0a5cdb51f46e4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootsTrapperU.exe
Filesize
165KB

MD5
8b57e3af9a6b863fbe0746db752eba75

SHA1
bca3c16f360dc795cb31882c04c9ff0ec4d20511

SHA256
ee6e94dcb0f4bb34d487919faee67b4c178daee696d5bc84b229a24c8cad1c6f

SHA512
1799155f917d2a47691745c71b9e5dcb5b21e05fd5a7ae3105a6375bf2a5b5fdf944fc773177f670ea051bf0098a5c9685e14dba67c676fb0a5cdb51f46e4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICSharpCode.AvalonEdit.dll
Filesize
604KB

MD5
85525afb01eafb7cd53e171344de4653

SHA1
65e4609b6e1d9d0de5568049687edd84fda6d2d3

SHA256
b5180b33e6bb8f215d69d91a6fab46e2e633b222095bcfcafba2530beb181eab

SHA512
3b30b7b4b32ab72ac0903e2053613bf0cd33c8f54879ca012dee12b319aa598e84329e59fc0edb19ad2b4ba6b6d25c12c88cbb78f655e3e6d6396ce909b10799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICSharpCode.AvalonEdit.dll
Filesize
604KB

MD5
85525afb01eafb7cd53e171344de4653

SHA1
65e4609b6e1d9d0de5568049687edd84fda6d2d3

SHA256
b5180b33e6bb8f215d69d91a6fab46e2e633b222095bcfcafba2530beb181eab

SHA512
3b30b7b4b32ab72ac0903e2053613bf0cd33c8f54879ca012dee12b319aa598e84329e59fc0edb19ad2b4ba6b6d25c12c88cbb78f655e3e6d6396ce909b10799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICSharpCode.AvalonEdit.dll
Filesize
604KB

MD5
85525afb01eafb7cd53e171344de4653

SHA1
65e4609b6e1d9d0de5568049687edd84fda6d2d3

SHA256
b5180b33e6bb8f215d69d91a6fab46e2e633b222095bcfcafba2530beb181eab

SHA512
3b30b7b4b32ab72ac0903e2053613bf0cd33c8f54879ca012dee12b319aa598e84329e59fc0edb19ad2b4ba6b6d25c12c88cbb78f655e3e6d6396ce909b10799

Download Submit
C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
Filesize
2.5MB

MD5
dcb25045813cf70b014e3b94f61fb1dd

SHA1
05677911206e6dcde403a6232f1dcb9f77abf959

SHA256
366b2611923ce8255940aafc03c3c156f35b6d0dabe4c5b728233ac0d6c51822

SHA512
23e14f7b2f45c8dddc64cd6d301b144748ac3599139c0ad518d2f75d648c746d80e02334cdc7b014f3efe09844a4d3809e7f3177e623a89033d8de948c12b2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
Filesize
2.5MB

MD5
dcb25045813cf70b014e3b94f61fb1dd

SHA1
05677911206e6dcde403a6232f1dcb9f77abf959

SHA256
366b2611923ce8255940aafc03c3c156f35b6d0dabe4c5b728233ac0d6c51822

SHA512
23e14f7b2f45c8dddc64cd6d301b144748ac3599139c0ad518d2f75d648c746d80e02334cdc7b014f3efe09844a4d3809e7f3177e623a89033d8de948c12b2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
Filesize
2.5MB

MD5
dcb25045813cf70b014e3b94f61fb1dd

SHA1
05677911206e6dcde403a6232f1dcb9f77abf959

SHA256
366b2611923ce8255940aafc03c3c156f35b6d0dabe4c5b728233ac0d6c51822

SHA512
23e14f7b2f45c8dddc64cd6d301b144748ac3599139c0ad518d2f75d648c746d80e02334cdc7b014f3efe09844a4d3809e7f3177e623a89033d8de948c12b2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\BootstrapperVersion.txt
Filesize
6B

MD5
a19f30071f8ac5c3999b7328ad578380

SHA1
3a9076f4bf68ae9702aba10239ab9b6840c203de

SHA256
c8d40e3fc93e328816f7a6ec5faf2cc18d6f89dccec4ee591280466223446540

SHA512
a4e3b0a8eb943f258224fc40d03fb6980258c1b21b2042c0d82dfa3f70c787a50943c2c11271c7ad638c9940aa60bdd1934edc94c9f3d572da71baf49701a082

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\MatSploit.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1392-145-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/1392-143-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/1392-140-0x000000000D0F0000-0x000000000D0FE000-memory.dmp

Filesize
56KB

Download
memory/1392-139-0x000000000D110000-0x000000000D148000-memory.dmp

Filesize
224KB

Download
memory/1392-133-0x00000000005D0000-0x000000000076E000-memory.dmp

Filesize
1.6MB

Download
memory/1392-138-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/1392-137-0x000000000D080000-0x000000000D088000-memory.dmp

Filesize
32KB

Download
memory/1392-134-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/5000-187-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5000-201-0x000000000DC70000-0x000000000DD0E000-memory.dmp

Filesize
632KB

Download
memory/5000-185-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/5000-186-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/5000-184-0x0000000000C10000-0x0000000000E9A000-memory.dmp

Filesize
2.5MB

Download
memory/5000-191-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5000-212-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5000-211-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5000-210-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5000-209-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/5080-168-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/5080-156-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/5080-158-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/5080-159-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/5080-167-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download