Overview

overview

10

Static

static

weg6tX6TTk78XZ5.exe

windows7_x64

10

weg6tX6TTk78XZ5.exe

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    20-01-2021 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    weg6tX6TTk78XZ5.exe

  • Size

    1.1MB

  • MD5

    ce11639e100ffbaaf01642df2947b9b1

  • SHA1

    4d4974bd4ebe6a84c44528abd3ab77b82ee84271

  • SHA256

    5f97fdcdf2c5d98b0183c91b0e070693ee0708721f4a5a7e270d752d7740111b

  • SHA512

    87e93e6e0f80d4fded10cc89c2fd3b78bd3503aa27b60765e75a381197c07b6c609e269d354ddc429445bd0aa126d0cf1fa6013847a0c4a05d566af375a50ce1

Score
10/10
matiexkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    click2resultpanel@midombo.com
  • Password:
    Nigerian99

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    click2resultpanel@midombo.com
  • Password:
    Nigerian99

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe
    "C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwYcYyO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5570.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:392
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:268
          • C:\Windows\SysWOW64\netsh.exe
            "netsh" wlan show profile
            3⤵
              PID:1972

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp5570.tmp
          MD5

          208c6e2029271bc5cb74279dc159a802

          SHA1

          608b7edb27f357410aa050bc8748f6788ea2aeee

          SHA256

          e4febc79819c6150571866e0468327d2a0a01ce4ba712d6af2c0de7535e78752

          SHA512

          ab4e9aa5f13768871252ca0a17f8b1a1683723541694db6560a288a1a20f29bc840600c0e4d4d04cb23d9b35036ca6b181a9952ad0938bbfcb41d18d7508df14

          Download Submit
        • memory/268-12-0x0000000074320000-0x0000000074A0E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/268-15-0x00000000057D0000-0x00000000057D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-18-0x00000000057D5000-0x00000000057E6000-memory.dmp
          Filesize

          68KB

          Download
        • memory/268-13-0x0000000000400000-0x0000000000476000-memory.dmp
          Filesize

          472KB

          Download
        • memory/268-11-0x000000000047085E-mapping.dmp
          Download
        • memory/268-10-0x0000000000400000-0x0000000000476000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1804-8-0x0000000000000000-mapping.dmp
          Download
        • memory/1904-3-0x0000000001200000-0x0000000001201000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1904-2-0x0000000074320000-0x0000000074A0E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1904-7-0x00000000076B0000-0x0000000007758000-memory.dmp
          Filesize

          672KB

          Download
        • memory/1904-5-0x00000000003E0000-0x0000000000403000-memory.dmp
          Filesize

          140KB

          Download
        • memory/1904-6-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1972-16-0x0000000000000000-mapping.dmp
          Download
        • memory/1972-17-0x0000000075781000-0x0000000075783000-memory.dmp
          Filesize

          8KB

          Download