matiex | 9a14ef7dd61e214e5d8f0ed0e4e98efdf3b6a97794e12e6c74811f85bf0fe021

General

Target

payment invoice090909000.exe
Size

478KB
MD5

5ce9199ca2f9bbfb99cf5dd672e884af
SHA1

484ce13dc8aed2309c2bbeb25b0136bbe5228114
SHA256

9a14ef7dd61e214e5d8f0ed0e4e98efdf3b6a97794e12e6c74811f85bf0fe021
SHA512

509af31de428567ab35be085259e78b88ddf0627c26baaf7d1c54099b531798815a436638523aae5ace4ea4017634057ff197abc579cc38ceb2841b14250ebfa

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2484-3-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral2/memory/2484-4-0x000000000047023E-mapping.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
12 freegeoip.app
13 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

payment invoice090909000.exe

description pid process target process

PID 4092 set thread context of 2484 4092 payment invoice090909000.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2712 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

2484 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

payment invoice090909000.exe

pid process

4092 payment invoice090909000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2484 MSBuild.exe

flow	ioc
7	checkip.dyndns.org
12	freegeoip.app
13	freegeoip.app

description	pid	process	target process
PID 4092 set thread context of 2484	4092	payment invoice090909000.exe	MSBuild.exe

pid	process
2712	schtasks.exe

pid	process
2484	MSBuild.exe

pid	process
4092	payment invoice090909000.exe

description	pid	process
Token: SeDebugPrivilege	2484	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

payment invoice090909000.execmd.exeMSBuild.exe

description	pid	process	target process
PID 4092 wrote to memory of 2432	4092	payment invoice090909000.exe	cmd.exe
PID 4092 wrote to memory of 2432	4092	payment invoice090909000.exe	cmd.exe
PID 4092 wrote to memory of 2432	4092	payment invoice090909000.exe	cmd.exe
PID 4092 wrote to memory of 2484	4092	payment invoice090909000.exe	MSBuild.exe
PID 4092 wrote to memory of 2484	4092	payment invoice090909000.exe	MSBuild.exe
PID 4092 wrote to memory of 2484	4092	payment invoice090909000.exe	MSBuild.exe
PID 4092 wrote to memory of 2484	4092	payment invoice090909000.exe	MSBuild.exe
PID 2432 wrote to memory of 2712	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 2712	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 2712	2432	cmd.exe	schtasks.exe
PID 2484 wrote to memory of 2280	2484	MSBuild.exe	netsh.exe
PID 2484 wrote to memory of 2280	2484	MSBuild.exe	netsh.exe
PID 2484 wrote to memory of 2280	2484	MSBuild.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe
"C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml"
3⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\payment invoice090909000.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b58fad2a4354d06a96543985b862504.xml
MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
memory/2280-14-0x0000000000000000-mapping.dmp

Download
memory/2432-2-0x0000000000000000-mapping.dmp

Download
memory/2484-11-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/2484-7-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-4-0x000000000047023E-mapping.dmp

Download
memory/2484-12-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2484-13-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2484-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2484-15-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/2484-16-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/2484-17-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/2712-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads