matiex | b37892c9f8b0b73345bd8f5b47faa274495f1f7b986013f62a4a005ed40b4db4

General

Target

er.exe
Size

24KB
MD5

612be75dd32e0576d23e8188afd4a489
SHA1

4fb53cf9f43b8d6ab16577c98aa7bbba5986b296
SHA256

b37892c9f8b0b73345bd8f5b47faa274495f1f7b986013f62a4a005ed40b4db4
SHA512

c7b2e326c90f0696babfa621202924553671f75cb2cd86970c00e156b9e5d3290b9494e9ece7825f9f5b0f876ae509a1e50c43ab7b88ebeaebd5c5512643e2f8

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
ckfashion.shop
Port:
26
Username:
[email protected]
Password:
123Mat+++

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/968-9-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral1/memory/968-10-0x000000000047213E-mapping.dmp	family_matiex
behavioral1/memory/968-12-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

6 848 rundll32.exe
8 848 rundll32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
18 freegeoip.app
19 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

er.exe

description pid process target process

PID 1872 set thread context of 968 1872 er.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
6	848	rundll32.exe
8	848	rundll32.exe

flow	ioc
13	checkip.dyndns.org
18	freegeoip.app
19	freegeoip.app

description	pid	process	target process
PID 1872 set thread context of 968	1872	er.exe	AddInProcess32.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

er.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	er.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	er.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AddInProcess32.exe

pid process

968 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

er.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1872 er.exe
Token: SeDebugPrivilege 968 AddInProcess32.exe

pid	process
968	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1872	er.exe
Token: SeDebugPrivilege	968	AddInProcess32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

er.exe

description	pid	process	target process
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 848	1872	er.exe	rundll32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe
PID 1872 wrote to memory of 968	1872	er.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\er.exe
"C:\Users\Admin\AppData\Local\Temp\er.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;1872
2⤵
- Blocklisted process makes network request
- Modifies registry class
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-3-0x0000000000000000-mapping.dmp

Download
memory/968-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/968-10-0x000000000047213E-mapping.dmp

Download
memory/968-11-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/968-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/968-14-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1872-2-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1872-5-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1872-6-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1872-8-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads