matiex | 9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73

General

Target

g6yzl1NROz6FgZi.exe
Size

1.2MB
MD5

7a8fa3fe4b23a2ca9612b2b1cf096f6a
SHA1

898d020a309d30d33055978794b2131fa5a18698
SHA256

9dacb6e97f39f81eee74d0779165f4a74e31f27cec1a67d52c541c52ed169d73
SHA512

a77912743ed08c7814d6b3a7a3fea19728561f69891c862ea35957ca4886beded2ffea80342af5d9c7b45a8aa868cd8dc9edcc67b62e1b53f25d5c21be407370

Score

10^/10

matiex bootkit keylogger persistence spyware stealer suricata

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4180-160-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/4180-169-0x0000000005A20000-0x0000000005FC6000-memory.dmp	family_matiex

suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\D: svchost.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
2 freegeoip.app
22 freegeoip.app
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

g6yzl1NROz6FgZi.exe

description pid process target process

PID 4564 set thread context of 4180 4564 g6yzl1NROz6FgZi.exe g6yzl1NROz6FgZi.exe

description	ioc	process
File opened (read-only)	\??\D:	svchost.exe

flow	ioc
2	checkip.dyndns.org
2	freegeoip.app
22	freegeoip.app

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	pid	process	target process
PID 4564 set thread context of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.override	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MoNotificationUx.exeMoNotificationUx.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MoNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MoNotificationUx.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MoNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MoNotificationUx.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

sihclient.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

g6yzl1NROz6FgZi.exe

pid process

4180 g6yzl1NROz6FgZi.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeg6yzl1NROz6FgZi.exe

description pid process

Token: SeSystemEnvironmentPrivilege 4552 svchost.exe
Token: SeDebugPrivilege 4180 g6yzl1NROz6FgZi.exe

pid	process
4180	g6yzl1NROz6FgZi.exe

description	pid	process
Token: SeSystemEnvironmentPrivilege	4552	svchost.exe
Token: SeDebugPrivilege	4180	g6yzl1NROz6FgZi.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

g6yzl1NROz6FgZi.exeg6yzl1NROz6FgZi.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4564 wrote to memory of 4180	4564	g6yzl1NROz6FgZi.exe	g6yzl1NROz6FgZi.exe
PID 4180 wrote to memory of 3052	4180	g6yzl1NROz6FgZi.exe	netsh.exe
PID 4180 wrote to memory of 3052	4180	g6yzl1NROz6FgZi.exe	netsh.exe
PID 4180 wrote to memory of 3052	4180	g6yzl1NROz6FgZi.exe	netsh.exe
PID 2908 wrote to memory of 1456	2908	svchost.exe	pcaui.exe
PID 2908 wrote to memory of 1456	2908	svchost.exe	pcaui.exe
PID 1452 wrote to memory of 4016	1452	svchost.exe	mpcmdrun.exe
PID 1452 wrote to memory of 4016	1452	svchost.exe	mpcmdrun.exe

C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe
"C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe
  "C:\Users\Admin\AppData\Local\Temp\g6yzl1NROz6FgZi.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    PID:3052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\wlrmdr.exe
-c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
1⤵
PID:4544

C:\Windows\system32\MoNotificationUx.exe
%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications
1⤵
- Checks processor information in registry
PID:4632

C:\Windows\system32\MoNotificationUx.exe
%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications
1⤵
- Checks processor information in registry
PID:4736

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\pcaui.exe
  C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
  2⤵
  PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:1352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Windows Defender\mpcmdrun.exe
  "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
  2⤵
  PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g6yzl1NROz6FgZi.exe.log

MD5
b63910653f353ee43f64da9a034e8959

SHA1
52660a2b24bd7704997b65d73dfafd2246df5e35

SHA256
f3342e4ee6cced0a2e482a27dd7d1a63a3c196fd51dc6bab7b079458584b8a70

SHA512
976264f808254377bc493756139779209bb52ab87c28b351a2ec152f20eb81c20d84a4d60993e9259ace392b6ffed0d4c4b28671f590ae111f3b12c17307d2ce

Download Submit
memory/1456-177-0x0000000000000000-mapping.dmp

Download
memory/2160-175-0x0000022002A00000-0x0000022002A10000-memory.dmp

Filesize
64KB

Download
memory/2160-174-0x0000022002980000-0x0000022002990000-memory.dmp

Filesize
64KB

Download
memory/3052-170-0x0000000000000000-mapping.dmp

Download
memory/4016-178-0x0000000000000000-mapping.dmp

Download
memory/4180-159-0x0000000000000000-mapping.dmp

Download
memory/4180-171-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/4180-169-0x0000000005A20000-0x0000000005FC6000-memory.dmp

Filesize
5.6MB

Download
memory/4180-166-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4180-160-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4564-152-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4564-158-0x0000000008A20000-0x0000000008AC0000-memory.dmp

Filesize
640KB

Download
memory/4564-157-0x00000000063F0000-0x0000000006474000-memory.dmp

Filesize
528KB

Download
memory/4564-156-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4564-155-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4564-154-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/4564-153-0x0000000004D50000-0x00000000052F6000-memory.dmp

Filesize
5.6MB

Download
memory/4564-146-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/4564-151-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4564-150-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4564-149-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4564-148-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads