Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 06:29
General
-
Target
weg6tX6TTk78XZ5.exe
-
Size
1.1MB
-
MD5
ce11639e100ffbaaf01642df2947b9b1
-
SHA1
4d4974bd4ebe6a84c44528abd3ab77b82ee84271
-
SHA256
5f97fdcdf2c5d98b0183c91b0e070693ee0708721f4a5a7e270d752d7740111b
-
SHA512
87e93e6e0f80d4fded10cc89c2fd3b78bd3503aa27b60765e75a381197c07b6c609e269d354ddc429445bd0aa126d0cf1fa6013847a0c4a05d566af375a50ce1
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
click2resultpanel@midombo.com - Password:
Nigerian99
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
click2resultpanel@midombo.com - Password:
Nigerian99
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe"C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwYcYyO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6BEA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6BEA.tmpMD5
75585b0e8caf105571c863982e7c1a6e
SHA10d7f4cc93465fb3552905793e5613ca2a762ffa6
SHA2562a37ebe04dba3e352e2ce2e80f1e0b3c420eea68a767c9edf9aa1a9ac85b243f
SHA512664759b8dcb8a460b4e8c05fdd1ff63fac30f841096ea70076f6bfba7ba3a20aef7f8ae4d34c4ff4523b5eb2a8e93c3228bcae5e2fe2a69080674e64bae250bc
-
memory/2192-25-0x0000000000000000-mapping.dmp
-
memory/2760-26-0x0000000006D80000-0x0000000006D81000-memory.dmpFilesize
4KB
-
memory/2760-22-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/2760-21-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2760-16-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/2760-15-0x000000000047085E-mapping.dmp
-
memory/2760-14-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/2772-7-0x0000000007E60000-0x0000000007E61000-memory.dmpFilesize
4KB
-
memory/2772-11-0x0000000008AB0000-0x0000000008B58000-memory.dmpFilesize
672KB
-
memory/2772-10-0x0000000007FA0000-0x0000000007FC3000-memory.dmpFilesize
140KB
-
memory/2772-9-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/2772-8-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/2772-2-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/2772-6-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/2772-5-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/2772-3-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/3524-12-0x0000000000000000-mapping.dmp