matiex | 39d7b97907b7836d51b332d85ecdbf4cd5fa55de562959a020a6752adeea4e1c

General

Target

03ba23a85802f57beed2d5c69453c6d2.exe
Size

500KB
MD5

03ba23a85802f57beed2d5c69453c6d2
SHA1

3d83f5623299630fd6f57a567ac048c7d1853dcb
SHA256

39d7b97907b7836d51b332d85ecdbf4cd5fa55de562959a020a6752adeea4e1c
SHA512

028c6edb097565b888589159fb7c8eb92604c333ac58cd075447eb369ae2cd071b85ee0ffdd427ec448fe1b3070adfe26ff5c28482b997a630f8f95b719e2974

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1271137457:AAFNGECSqnP1dXVAPgbr-EWVUDbzylXjmhg/sendMessage?chat_id=1216524090

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3928-27-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral2/memory/3928-28-0x000000000046E71E-mapping.dmp	family_matiex

Drops startup file 2 IoCs

Processes:

pOwERsHeLl.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe	pOwERsHeLl.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe	pOwERsHeLl.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 freegeoip.app
15 checkip.dyndns.org
18 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

description pid process target process

PID 3940 set thread context of 3928 3940 03ba23a85802f57beed2d5c69453c6d2.exe 03ba23a85802f57beed2d5c69453c6d2.exe

flow	ioc
19	freegeoip.app
15	checkip.dyndns.org
18	freegeoip.app

description	pid	process	target process
PID 3940 set thread context of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe

Modifies registry class 5 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open\command	03ba23a85802f57beed2d5c69453c6d2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings	03ba23a85802f57beed2d5c69453c6d2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell	03ba23a85802f57beed2d5c69453c6d2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open	03ba23a85802f57beed2d5c69453c6d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open\command\	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

pOwERsHeLl.exe03ba23a85802f57beed2d5c69453c6d2.exe03ba23a85802f57beed2d5c69453c6d2.exe

pid	process
2300	pOwERsHeLl.exe
2300	pOwERsHeLl.exe
2300	pOwERsHeLl.exe
3940	03ba23a85802f57beed2d5c69453c6d2.exe
3940	03ba23a85802f57beed2d5c69453c6d2.exe
3940	03ba23a85802f57beed2d5c69453c6d2.exe
3940	03ba23a85802f57beed2d5c69453c6d2.exe
3928	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

pid process

3928 03ba23a85802f57beed2d5c69453c6d2.exe

pid	process
3928	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pOwERsHeLl.exe03ba23a85802f57beed2d5c69453c6d2.exe03ba23a85802f57beed2d5c69453c6d2.exe

description	pid	process
Token: SeDebugPrivilege	2300	pOwERsHeLl.exe
Token: SeDebugPrivilege	3940	03ba23a85802f57beed2d5c69453c6d2.exe
Token: SeDebugPrivilege	3928	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

pid process

3928 03ba23a85802f57beed2d5c69453c6d2.exe

pid	process
3928	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\03ba23a85802f57beed2d5c69453c6d2.exe.log
MD5
6c1aa60b46ba4e118b6f5600603df204

SHA1
6222484928ba6d048b1c8f54a9e2ffcd6c531e10

SHA256
8b85cca831586dab3ccf44d25760a783c7eaf14107930850678b66ea79001d4a

SHA512
2089faae7b8dd76594306a23c4e73e836dee6be7a9f03d5b45d613e4c78a266f8c3267574c3fd335eafdcd66aebaf0c3a8ea82b78cdb6601d6797d1c0a3057bb

Download Submit
memory/2300-19-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/2300-13-0x00000000070D2000-0x00000000070D3000-memory.dmp

Filesize
4KB

Download
memory/2300-18-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/2300-7-0x0000000000000000-mapping.dmp

Download
memory/2300-8-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-9-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/2300-25-0x00000000070D3000-0x00000000070D4000-memory.dmp

Filesize
4KB

Download
memory/2300-11-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2300-12-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2300-21-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/2300-14-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/2300-15-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/2300-16-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/2300-17-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/2300-23-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/2300-20-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2300-22-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/3928-40-0x0000000005113000-0x0000000005115000-memory.dmp

Filesize
8KB

Download
memory/3928-30-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-39-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/3928-38-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/3928-37-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/3928-27-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3928-28-0x000000000046E71E-mapping.dmp

Download
memory/3928-36-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3940-26-0x0000000005600000-0x000000000560C000-memory.dmp

Filesize
48KB

Download
memory/3940-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3940-5-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/3940-10-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/3940-6-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/3940-2-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 3940 wrote to memory of 2300	3940	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 3940 wrote to memory of 2300	3940	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 3940 wrote to memory of 2300	3940	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 3940 wrote to memory of 3124	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3124	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3124	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3292	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3292	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3292	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 3940 wrote to memory of 3928	3940	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads