Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 18:56
General
-
Target
er.exe
-
Size
24KB
-
MD5
612be75dd32e0576d23e8188afd4a489
-
SHA1
4fb53cf9f43b8d6ab16577c98aa7bbba5986b296
-
SHA256
b37892c9f8b0b73345bd8f5b47faa274495f1f7b986013f62a4a005ed40b4db4
-
SHA512
c7b2e326c90f0696babfa621202924553671f75cb2cd86970c00e156b9e5d3290b9494e9ece7825f9f5b0f876ae509a1e50c43ab7b88ebeaebd5c5512643e2f8
Score
10/10
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
ckfashion.shop - Port:
26 - Username:
[email protected] - Password:
123Mat+++
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\er.exe"C:\Users\Admin\AppData\Local\Temp\er.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/496-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/496-5-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/496-6-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/496-7-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/1344-18-0x0000000000000000-mapping.dmp
-
memory/3160-13-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/3160-10-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/3160-9-0x000000000047213E-mapping.dmp
-
memory/3160-14-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3160-15-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/3160-16-0x00000000068D0000-0x00000000068D1000-memory.dmpFilesize
4KB
-
memory/3160-17-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/3160-8-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3160-19-0x00000000067B0000-0x00000000067B1000-memory.dmpFilesize
4KB
-
memory/3160-20-0x0000000007050000-0x0000000007051000-memory.dmpFilesize
4KB