Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Pics.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Pics.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Products drawing.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Products drawing.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Quotation and Prices.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Quotation and Prices.exe
Resource
win10v2004-20240802-en
General
-
Target
Quotation and Prices.exe
-
Size
730KB
-
MD5
6d991f93327f70488011bf06ba799930
-
SHA1
1b630a8c337cc48f9ec41cccc4352f51e7d51e71
-
SHA256
abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3
-
SHA512
181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70
-
SSDEEP
12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Signatures
-
Matiex Main payload 1 IoCs
resource yara_rule behavioral8/memory/3004-28-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
resource yara_rule behavioral8/memory/3528-5-0x00000000051A0000-0x0000000005246000-memory.dmp beds_protector -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation and Prices.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation and Prices.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation and Prices.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org 16 freegeoip.app 20 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3528 set thread context of 3004 3528 Quotation and Prices.exe 88 -
pid Process 2852 Powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1784 3004 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation and Prices.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation and Prices.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2852 Powershell.exe 2852 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2852 Powershell.exe Token: SeDebugPrivilege 3004 Quotation and Prices.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3528 wrote to memory of 2852 3528 Quotation and Prices.exe 85 PID 3528 wrote to memory of 2852 3528 Quotation and Prices.exe 85 PID 3528 wrote to memory of 2852 3528 Quotation and Prices.exe 85 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 PID 3528 wrote to memory of 3004 3528 Quotation and Prices.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation and Prices.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation and Prices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"C:\Users\Admin\AppData\Local\Temp\Quotation and Prices.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 14163⤵
- Program crash
PID:1784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 30041⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56a669672404c7fa39949936a483cf174
SHA125efdb55d16b9629db7d934e960a73d31a24f7c9
SHA256937f98842e6d7049d8fcbb88ee2c4a324865f528e1fd9ba49de094010801b280
SHA512ff48308ab82705bbe80139057ac652bf87c5fd7d129b0b57754ce50c833dda1d95743c6dd99d4560d3085cb87b571e7a6657dfde83c3908770ffcbcd551acefe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82