General

  • Target

    matcha-9dbf9780562444e1-upd2.rar

  • Size

    19.8MB

  • Sample

    241109-q7l84swamd

  • MD5

    aa078c80d48de8b4a9651e4527afc011

  • SHA1

    964d33b6964f89d6f13dba8678f50e86f4aadf56

  • SHA256

    2afe60e31599db4d0857fcac3e48ddca6357dedd3b93cc5fc56e72a4b987bbc8

  • SHA512

    1dbca189c3b59e572aaf9791bb5cd7f8f231e4d236117e4d747243733bf521760b52ef08c7553e7934d0a5878de7e7eb53168e8aa3bd83336eb38f47d9be472a

  • SSDEEP

    393216:2PCSlDkykih2dtIQX6vOE3vva3K6dU5v8kJKfPCSlDkykih2dtIQXS:QN+ik/Io69X5v8kAXN+ik/IH

Malware Config

Targets

    • Target

      loader.exe

    • Size

      7.6MB

    • MD5

      0734f6bedc4b869ee82b9d4cccff40b5

    • SHA1

      f85fad7213954af4c1e97fd8ec295edf76882095

    • SHA256

      f126a99a61fbb3ea941e81fce01cd2a2d64080b33789553f94c2c6043f3b470d

    • SHA512

      897794b690ab100abd0116d167e02d70089890b6b3f9091cccdec82e3bb0b1b3a5f7cc3a0ccbf6aff7f86322e09313277f3233e5879350840b0331fa55fc2ba4

    • SSDEEP

      196608:IpHYLwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jC:0IHziK1piXLGVE4Ue0VJu

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      mapper/map.exe

    • Size

      5.2MB

    • MD5

      91b2e38c78a29587e4bc141c3f048f0e

    • SHA1

      720a32e02fb3e9529c193c4cc1874a74c7548146

    • SHA256

      02ac7fcef95d3d8ba108c85311412739ec680dcc84e0e6baee6a77aa2271ecff

    • SHA512

      f5b256a0544df654e793634a847892fe00ee412bef33bc4011e7f9d6d215ccbaf0d39270dcd832e403e95ddf109d1f643bff68e359c545837c6c17e1d9f248f8

    • SSDEEP

      98304:MjqhOJCjRLRWUEjzqRxOdlWb0T8hEjE+R7WFxjQFQ/WbzZC+x2wAP:MesJCjR13EavA8+8+j1RSxjQsWXZul

    Score
    1/10
    • Target

      mapper/matcha-driver.sys

    • Size

      9KB

    • MD5

      21e0a2d7d9ab804eeb1d7c71b532a681

    • SHA1

      2c09d54d71dfbee2eb537844078d74361e1e1dcc

    • SHA256

      5d8f2239e861694d3f10884260160259393d56810e8cc3e6cabae4c0d077c905

    • SHA512

      bfd6b8f3641750bcce137111b895ad9df33d712cb7f0465d99156accdff6298715a9da5da4003e2ad2bad7867013e9be096c21733946c686b2788a679059bc08

    • SSDEEP

      96:xnICc5aHL+i40EzLGenSP+VSHWj7TEGMlOD+1WNBbEpDDIy:JXL+iyzLXSGVYcHg1Wvbon

    Score
    1/10
    • Target

      matcha.exe

    • Size

      7.6MB

    • MD5

      0734f6bedc4b869ee82b9d4cccff40b5

    • SHA1

      f85fad7213954af4c1e97fd8ec295edf76882095

    • SHA256

      f126a99a61fbb3ea941e81fce01cd2a2d64080b33789553f94c2c6043f3b470d

    • SHA512

      897794b690ab100abd0116d167e02d70089890b6b3f9091cccdec82e3bb0b1b3a5f7cc3a0ccbf6aff7f86322e09313277f3233e5879350840b0331fa55fc2ba4

    • SSDEEP

      196608:IpHYLwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jC:0IHziK1piXLGVE4Ue0VJu

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks