Analysis
-
max time kernel
28s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
25/08/2024, 17:39 UTC
General
-
Target
Quotation and Prices.exe
-
Size
730KB
-
MD5
6d991f93327f70488011bf06ba799930
-
SHA1
1b630a8c337cc48f9ec41cccc4352f51e7d51e71
-
SHA256
abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3
-
SHA512
181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70
-
SSDEEP
12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt
Score
10/10
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales1@midombo.com - Password:
MARYolanmauluogwo@ever
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main payload 5 IoCs
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 9363⤵
- Program crash
-
-
Network
-
DNScheckip.dyndns.orgRemote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A132.226.247.73 -
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 25 Aug 2024 17:39:53 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 2c50bd2e73284debcec8e769aa89d8b2
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Sun, 25 Aug 2024 17:39:56 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 8376927ae4e0433b35f53de712984faf
-
DNSfreegeoip.appRemote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A104.21.73.97freegeoip.appIN A172.67.160.84
-
GEThttps://freegeoip.app/xml/194.110.13.70Remote address:104.21.73.97:443RequestGET /xml/194.110.13.70 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
-
GEThttps://freegeoip.app/xml/194.110.13.70Remote address:104.21.73.97:443RequestGET /xml/194.110.13.70 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 25 Aug 2024 17:40:15 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 25 Aug 2024 18:40:15 GMT
Location: https://ipbase.com/xml/194.110.13.70
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZ%2BNHzkX8TUKkj9t1GaKr%2Br%2BuRaNevmZCD9nYAe6n2J5jitY2FK0LPtQ2zOjcafI9JUDSl%2BYadiAnQL%2B8RZaYKk6fD2slIpljC4QJckdTaA%2BiMulAdEA0XWFmrNwCiyH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b8d5dbe6d39cd2a-LHR
alt-svc: h3=":443"; ma=86400
-
DNSipbase.comRemote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A104.21.85.189ipbase.comIN A172.67.209.71
-
GEThttps://ipbase.com/xml/194.110.13.70Remote address:104.21.85.189:443RequestGET /xml/194.110.13.70 HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 25 Aug 2024 17:40:16 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; fwd=miss
Vary: Accept-Encoding
X-Nf-Request-Id: 01J659ZN2ZX235FWFCH94MVHVY
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XsoO4Oinv2gWvDDJuJaWsJyq0vs%2B4OoLF15E6aqv11vCTrIC6YrHPf5p%2FjZzdrpYw%2FUzWKY85rjydS54hx8G7Zf4p%2BuUyxrrJ1cHaEIVUvSHAt0rKdJkEbuW4PKq"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b8d5dc059e8bed0-LHR
alt-svc: h3=":443"; ma=86400
-
193.122.130.0:80http://checkip.dyndns.org/http
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.73.97:443https://freegeoip.app/xml/194.110.13.70tls, http
HTTP Request
GET https://freegeoip.app/xml/194.110.13.70 -
104.21.73.97:443https://freegeoip.app/xml/194.110.13.70tls, http
HTTP Request
GET https://freegeoip.app/xml/194.110.13.70HTTP Response
301 -
104.21.85.189:443https://ipbase.com/xml/194.110.13.70tls, http
HTTP Request
GET https://ipbase.com/xml/194.110.13.70HTTP Response
404
-
8.8.8.8:53checkip.dyndns.orgdns
DNS Request
checkip.dyndns.org
DNS Response
193.122.130.0158.101.44.242193.122.6.168132.226.8.169132.226.247.73
-
8.8.8.8:53freegeoip.appdns
DNS Request
freegeoip.app
DNS Response
104.21.73.97172.67.160.84
-
8.8.8.8:53ipbase.comdns
DNS Request
ipbase.com
DNS Response
104.21.85.189172.67.209.71
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
664KB
-
Filesize
472KB
-
Filesize
472KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
472KB
-
Filesize
472KB
-
Filesize
472KB