matiex | 591b179d161ffb99cf404c3c2a2ef5ed93452dd737c6c91bc3182838961fa295

General

Target

Ref 2998390020 purchasing inquiry.exe
Size

442KB
MD5

4db15735772716ead8b0a838c67f91c6
SHA1

e7770b8a8d3d092f3bd38de265890f6cf17d1406
SHA256

5d65c8c1dbe91d020fe6dfefe37ef17651aaead257fdd7f24aa08b9a38cbb8fc
SHA512

38f0d118a3dfdb2ca0a0fd64b23cde9cdd76c410b85fa1f69dd164b121a25c213ea5dff75a7ab658c57cd5b7822cc16f7e19bcdeb63d202271065147cb22cc4c

Score

10^/10

matiex keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4284-126-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral2/memory/4284-127-0x0000000000472BFE-mapping.dmp	family_matiex

Drops startup file 1 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	Ref 2998390020 purchasing inquiry.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app

flow	ioc
7	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

description	pid	process	target process
PID 3696 set thread context of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4256 schtasks.exe

pid	process
4256	schtasks.exe

Modifies registry class 5 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open\command	Ref 2998390020 purchasing inquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings	Ref 2998390020 purchasing inquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell	Ref 2998390020 purchasing inquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open	Ref 2998390020 purchasing inquiry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\ms-settings\shell\open\command\	Ref 2998390020 purchasing inquiry.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

pid	process
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe
4284	Ref 2998390020 purchasing inquiry.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

pid process

4284 Ref 2998390020 purchasing inquiry.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

description pid process

Token: SeDebugPrivilege 4284 Ref 2998390020 purchasing inquiry.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exe

pid process

4284 Ref 2998390020 purchasing inquiry.exe

description	pid	process
Token: SeDebugPrivilege	4284	Ref 2998390020 purchasing inquiry.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Ref 2998390020 purchasing inquiry.exeRef 2998390020 purchasing inquiry.exe

description	pid	process	target process
PID 3696 wrote to memory of 4256	3696	Ref 2998390020 purchasing inquiry.exe	schtasks.exe
PID 3696 wrote to memory of 4256	3696	Ref 2998390020 purchasing inquiry.exe	schtasks.exe
PID 3696 wrote to memory of 4256	3696	Ref 2998390020 purchasing inquiry.exe	schtasks.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 3696 wrote to memory of 4284	3696	Ref 2998390020 purchasing inquiry.exe	Ref 2998390020 purchasing inquiry.exe
PID 4284 wrote to memory of 4324	4284	Ref 2998390020 purchasing inquiry.exe	netsh.exe
PID 4284 wrote to memory of 4324	4284	Ref 2998390020 purchasing inquiry.exe	netsh.exe
PID 4284 wrote to memory of 4324	4284	Ref 2998390020 purchasing inquiry.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDOhzfeKq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1ADC.tmp"
2⤵
- Creates scheduled task(s)
PID:4256

C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Ref 2998390020 purchasing inquiry.exe"
2⤵
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3696-124-0x0000000007D10000-0x0000000007D85000-memory.dmp

Filesize
468KB

Download
memory/3696-122-0x0000000005780000-0x0000000005786000-memory.dmp

Filesize
24KB

Download
memory/3696-118-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3696-119-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3696-115-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3696-121-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3696-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3696-123-0x0000000007CB0000-0x0000000007D0A000-memory.dmp

Filesize
360KB

Download
memory/3696-120-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/4256-125-0x0000000000000000-mapping.dmp

Download
memory/4284-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4284-127-0x0000000000472BFE-mapping.dmp

Download
memory/4284-131-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4284-132-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4284-137-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/4324-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads