Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    28/08/2020, 06:33 UTC

General

  • Target

    1XrdOdPqR6jBVMu.exe

  • Size

    507KB

  • MD5

    e5a4d65f4234001c405be18760073317

  • SHA1

    9aaf994aa6cee464fde60749d9a1aba698199b41

  • SHA256

    021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354

  • SHA512

    27892695e298ac1be6f982b97be4a9da56ed31031c3cb83d8e98815d1676442672aa3626a8a14782e638fa988a96dcb3229c72356374f7193fc8ee7469fdcc69

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    kin.hosting-mexico.net
  • Port:
    26
  • Username:
    rm@timbradompresarial.com
  • Password:
    VN=m3-pILg4f

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

  • Matiex Main Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
    "C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:3100
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:804

    Network

    • flag-unknown
      DNS
      checkip.dyndns.org
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      131.186.161.70
      checkip.dyndns.com
      IN A
      162.88.193.70
      checkip.dyndns.com
      IN A
      216.146.43.71
      checkip.dyndns.com
      IN A
      131.186.113.70
      checkip.dyndns.com
      IN A
      216.146.43.70
    • flag-unknown
      GET
      http://checkip.dyndns.org/
      1XrdOdPqR6jBVMu.exe
      Remote address:
      131.186.161.70:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Server: DynDNS-CheckIP/1.0.1
      Connection: close
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 104
    • flag-unknown
      GET
      http://checkip.dyndns.org/
      1XrdOdPqR6jBVMu.exe
      Remote address:
      131.186.161.70:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Server: DynDNS-CheckIP/1.0.1
      Connection: close
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 104
    • flag-unknown
      DNS
      freegeoip.app
      Remote address:
      8.8.8.8:53
      Request
      freegeoip.app
      IN A
      Response
      freegeoip.app
      IN A
      104.28.5.151
      freegeoip.app
      IN A
      104.28.4.151
      freegeoip.app
      IN A
      172.67.188.154
    • flag-unknown
      GET
      http://checkip.dyndns.org/
      1XrdOdPqR6jBVMu.exe
      Remote address:
      131.186.161.70:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Server: DynDNS-CheckIP/1.0.1
      Connection: close
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 104
    • flag-unknown
      GET
      http://checkip.dyndns.org/
      1XrdOdPqR6jBVMu.exe
      Remote address:
      131.186.161.70:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Server: DynDNS-CheckIP/1.0.1
      Connection: close
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 104
    • flag-unknown
      GET
      http://checkip.dyndns.org/
      1XrdOdPqR6jBVMu.exe
      Remote address:
      131.186.161.70:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Content-Type: text/html
      Server: DynDNS-CheckIP/1.0.1
      Connection: close
      Cache-Control: no-cache
      Pragma: no-cache
      Content-Length: 104
    • flag-unknown
      DNS
      kin.hosting-mexico.net
      Remote address:
      8.8.8.8:53
      Request
      kin.hosting-mexico.net
      IN A
      Response
      kin.hosting-mexico.net
      IN A
      68.70.164.21
    • 131.186.161.70:80
      http://checkip.dyndns.org/
      http
      1XrdOdPqR6jBVMu.exe
      381 B
      465 B
      5
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 131.186.161.70:80
      http://checkip.dyndns.org/
      http
      1XrdOdPqR6jBVMu.exe
      357 B
      465 B
      5
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.28.5.151:443
      freegeoip.app
      tls
      1XrdOdPqR6jBVMu.exe
      1.2kB
      6.2kB
      14
      11
    • 131.186.161.70:80
      http://checkip.dyndns.org/
      http
      1XrdOdPqR6jBVMu.exe
      357 B
      473 B
      5
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 131.186.161.70:80
      http://checkip.dyndns.org/
      http
      1XrdOdPqR6jBVMu.exe
      357 B
      465 B
      5
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 131.186.161.70:80
      http://checkip.dyndns.org/
      http
      1XrdOdPqR6jBVMu.exe
      357 B
      465 B
      5
      5

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 68.70.164.21:26
      kin.hosting-mexico.net
      1XrdOdPqR6jBVMu.exe
      3.6kB
      7.1kB
      26
      26
    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      131.186.161.70
      162.88.193.70
      216.146.43.71
      131.186.113.70
      216.146.43.70

    • 8.8.8.8:53
      freegeoip.app
      dns
      59 B
      107 B
      1
      1

      DNS Request

      freegeoip.app

      DNS Response

      104.28.5.151
      104.28.4.151
      172.67.188.154

    • 8.8.8.8:53
      kin.hosting-mexico.net
      dns
      68 B
      84 B
      1
      1

      DNS Request

      kin.hosting-mexico.net

      DNS Response

      68.70.164.21

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2076-9-0x0000000007810000-0x0000000007882000-memory.dmp

      Filesize

      456KB

    • memory/2076-11-0x000000000B240000-0x000000000B2D8000-memory.dmp

      Filesize

      608KB

    • memory/2076-4-0x0000000005050000-0x0000000005051000-memory.dmp

      Filesize

      4KB

    • memory/2076-5-0x0000000005000000-0x0000000005001000-memory.dmp

      Filesize

      4KB

    • memory/2076-6-0x0000000005290000-0x0000000005291000-memory.dmp

      Filesize

      4KB

    • memory/2076-7-0x0000000005300000-0x0000000005303000-memory.dmp

      Filesize

      12KB

    • memory/2076-8-0x00000000074C0000-0x00000000074C1000-memory.dmp

      Filesize

      4KB

    • memory/2076-0-0x0000000073530000-0x0000000073C1E000-memory.dmp

      Filesize

      6.9MB

    • memory/2076-3-0x0000000005660000-0x0000000005661000-memory.dmp

      Filesize

      4KB

    • memory/2076-1-0x0000000000770000-0x0000000000771000-memory.dmp

      Filesize

      4KB

    • memory/2076-10-0x0000000007980000-0x0000000007981000-memory.dmp

      Filesize

      4KB

    • memory/3932-12-0x0000000000400000-0x0000000000472000-memory.dmp

      Filesize

      456KB

    • memory/3932-15-0x0000000073530000-0x0000000073C1E000-memory.dmp

      Filesize

      6.9MB

    • memory/3932-20-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

      Filesize

      4KB

    • memory/3932-22-0x00000000065C0000-0x00000000065C1000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.