matiex | 2a110d7e364ad29a87c03c0418154c360c3be3f473fe0434656908d954e6bdd3

General

Target

NN0900087890.exe
Size

389KB
MD5

2143f5e16ab1ccac518c5318607de780
SHA1

ae2f3ef507ff24582316fbe556d84d28f0c00331
SHA256

2a110d7e364ad29a87c03c0418154c360c3be3f473fe0434656908d954e6bdd3
SHA512

2ab401aae0437536bcb6cf8e1efbaa26179ef8aaf0a33ee3060858d6cb3ac45f5e13f056044a250d6f633aafa004eccf529f5a8831a5032db4dd5f981254e224

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-55-0x0000000000400000-0x0000000000484000-memory.dmp	family_matiex
behavioral1/memory/1976-56-0x000000000040188B-mapping.dmp	family_matiex
behavioral1/memory/1976-58-0x0000000000400000-0x0000000000484000-memory.dmp	family_matiex
behavioral1/memory/1976-59-0x0000000004470000-0x00000000044DF000-memory.dmp	family_matiex

Loads dropped DLL 1 IoCs

Processes:

NN0900087890.exe

pid process

1144 NN0900087890.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

NN0900087890.exe

description pid process target process

PID 1144 set thread context of 1976 1144 NN0900087890.exe NN0900087890.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

NN0900087890.exe

pid process

1976 NN0900087890.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NN0900087890.exe

description pid process

Token: SeDebugPrivilege 1976 NN0900087890.exe

pid	process
1144	NN0900087890.exe

flow	ioc
4	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app

description	pid	process	target process
PID 1144 set thread context of 1976	1144	NN0900087890.exe	NN0900087890.exe

pid	process
1976	NN0900087890.exe

description	pid	process
Token: SeDebugPrivilege	1976	NN0900087890.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NN0900087890.exe

description	pid	process	target process
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe
PID 1144 wrote to memory of 1976	1144	NN0900087890.exe	NN0900087890.exe

C:\Users\Admin\AppData\Local\Temp\NN0900087890.exe
"C:\Users\Admin\AppData\Local\Temp\NN0900087890.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\NN0900087890.exe
"C:\Users\Admin\AppData\Local\Temp\NN0900087890.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsvD8B2.tmp\hldbohwqh.dll

MD5
78866b11263e73b3b13f15051407398e

SHA1
e4999347051c9f551130edaa90756e179eab25af

SHA256
8bbb7cb0fac58f703a1a4da556818851b79d9de5942464940b6d0c235a38c50b

SHA512
eb654d42ad32d115e2a11ad779100ec1e6882f2043409ff538b5acab568a65084b8a1a5411d4df4f83b83f620a4549220accdd615613dc77c38e7185ef0740f6

Download Submit
memory/1144-53-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1976-56-0x000000000040188B-mapping.dmp

Download
memory/1976-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1976-59-0x0000000004470000-0x00000000044DF000-memory.dmp

Filesize
444KB

Download
memory/1976-62-0x0000000004552000-0x0000000004553000-memory.dmp

Filesize
4KB

Download
memory/1976-61-0x0000000004551000-0x0000000004552000-memory.dmp

Filesize
4KB

Download
memory/1976-63-0x0000000004553000-0x0000000004554000-memory.dmp

Filesize
4KB

Download
memory/1976-64-0x0000000004554000-0x0000000004555000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing