matiex | e58284d351b21f134a31fdccd3e53f952133f671892da8a86347d7b930399f28

General

Target

QYD Quotation 20210702.exe
Size

1.1MB
MD5

494fc5838b2ff1381ab5d806cf7820a2
SHA1

d7ec8bb026fe526535ed556936ec057409fb00fa
SHA256

e58284d351b21f134a31fdccd3e53f952133f671892da8a86347d7b930399f28
SHA512

1c18d8524f0aecd4b4dfb2518de69c94362c23c60b3bc2e7229e6b06a9ed6e559212d97f740f4675c028cc5c5f9ab12b51d21589a42656232e207d2866120821

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
sales01@mtlvn.com.vn
Password:
123luongngan1989

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
sales01@mtlvn.com.vn
Password:
123luongngan1989

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/340-68-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/340-69-0x000000000046E07E-mapping.dmp	family_matiex
behavioral1/memory/340-70-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

QYD Quotation 20210702.exe

description pid process target process

PID 1872 set thread context of 340 1872 QYD Quotation 20210702.exe QYD Quotation 20210702.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

flow	ioc
5	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app

description	pid	process	target process
PID 1872 set thread context of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe

pid	process
1652	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

QYD Quotation 20210702.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	QYD Quotation 20210702.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QYD Quotation 20210702.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

QYD Quotation 20210702.exeQYD Quotation 20210702.exe

pid process

1872 QYD Quotation 20210702.exe
1872 QYD Quotation 20210702.exe
1872 QYD Quotation 20210702.exe
340 QYD Quotation 20210702.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

QYD Quotation 20210702.exe

pid process

340 QYD Quotation 20210702.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QYD Quotation 20210702.exeQYD Quotation 20210702.exe

description pid process

Token: SeDebugPrivilege 1872 QYD Quotation 20210702.exe
Token: SeDebugPrivilege 340 QYD Quotation 20210702.exe

pid	process
1872	QYD Quotation 20210702.exe
1872	QYD Quotation 20210702.exe
1872	QYD Quotation 20210702.exe
340	QYD Quotation 20210702.exe

pid	process
340	QYD Quotation 20210702.exe

description	pid	process
Token: SeDebugPrivilege	1872	QYD Quotation 20210702.exe
Token: SeDebugPrivilege	340	QYD Quotation 20210702.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

QYD Quotation 20210702.exeQYD Quotation 20210702.exe

description	pid	process	target process
PID 1872 wrote to memory of 1652	1872	QYD Quotation 20210702.exe	schtasks.exe
PID 1872 wrote to memory of 1652	1872	QYD Quotation 20210702.exe	schtasks.exe
PID 1872 wrote to memory of 1652	1872	QYD Quotation 20210702.exe	schtasks.exe
PID 1872 wrote to memory of 1652	1872	QYD Quotation 20210702.exe	schtasks.exe
PID 1872 wrote to memory of 1056	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 1056	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 1056	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 1056	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 1872 wrote to memory of 340	1872	QYD Quotation 20210702.exe	QYD Quotation 20210702.exe
PID 340 wrote to memory of 1532	340	QYD Quotation 20210702.exe	netsh.exe
PID 340 wrote to memory of 1532	340	QYD Quotation 20210702.exe	netsh.exe
PID 340 wrote to memory of 1532	340	QYD Quotation 20210702.exe	netsh.exe
PID 340 wrote to memory of 1532	340	QYD Quotation 20210702.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe
"C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DQuUJXrfqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC08.tmp"
2⤵
- Creates scheduled task(s)
PID:1652

C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe
"{path}"
2⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\QYD Quotation 20210702.exe
"{path}"
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAC08.tmp
MD5
506ffc1b90f51f0612daf501d0e38077

SHA1
33127a3197685752ed8e32c7fbef1c12e952f3c6

SHA256
670f5c9f27accf4bdaf4cbbc23116a649fdc81ed0da456e20b0bc285754a7f38

SHA512
93647008e43f34d55c0e10e6527b84e042942772a76691246bc21047fb87e7d5f66b85e2e25f39b7962de973656521d43f86d9a79ea5e387fc65ba922221ed2e

Download Submit
memory/340-70-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/340-68-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/340-69-0x000000000046E07E-mapping.dmp

Download
memory/340-72-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1532-73-0x0000000000000000-mapping.dmp

Download
memory/1532-74-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1652-66-0x0000000000000000-mapping.dmp

Download
memory/1872-63-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/1872-64-0x0000000005E40000-0x0000000005EF6000-memory.dmp

Filesize
728KB

Download
memory/1872-65-0x0000000007F10000-0x0000000007FBA000-memory.dmp

Filesize
680KB

Download
memory/1872-62-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1872-60-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads