matiex | dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f

General

Target

Products Details and Order reference.exe
Size

591KB
MD5

4107bb08f0c20c1bafd7839f1bf77a8b
SHA1

ba4daabff9037990d45c4cfafe4690a7fe2ddbfb
SHA256

dd182afe8c89ecfb8d2d449f5e700d7ac09b979315238abf0cee1cdd65d6c27f
SHA512

88b10d5719e82d69d80e2e9264b0e0c86bba686d127fcd7366fb0be5c71846c8a5013b4a6c96ed750242a9f88e5bd3504e9705580024ecf1106eea9b9b7dfe60

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
25
Username:
[email protected]
Password:
123luongngan1989

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3424-124-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral2/memory/3424-125-0x0000000000472BFE-mapping.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.dyndns.org
12 freegeoip.app
13 freegeoip.app

flow	ioc
10	checkip.dyndns.org
12	freegeoip.app
13	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

Products Details and Order reference.exe

description	pid	process	target process
PID 632 set thread context of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

688 3424 WerFault.exe Products Details and Order reference.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4080 schtasks.exe

pid	pid_target	process	target process
688	3424	WerFault.exe	Products Details and Order reference.exe

pid	process
4080	schtasks.exe

Modifies registry class 5 IoCs

Processes:

Products Details and Order reference.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	Products Details and Order reference.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	Products Details and Order reference.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	Products Details and Order reference.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	Products Details and Order reference.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\	Products Details and Order reference.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Products Details and Order reference.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3424	Products Details and Order reference.exe
Token: SeRestorePrivilege	688	WerFault.exe
Token: SeBackupPrivilege	688	WerFault.exe
Token: SeDebugPrivilege	688	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Products Details and Order reference.exe

description	pid	process	target process
PID 632 wrote to memory of 4080	632	Products Details and Order reference.exe	schtasks.exe
PID 632 wrote to memory of 4080	632	Products Details and Order reference.exe	schtasks.exe
PID 632 wrote to memory of 4080	632	Products Details and Order reference.exe	schtasks.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe
PID 632 wrote to memory of 3424	632	Products Details and Order reference.exe	Products Details and Order reference.exe

C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe
"C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UKEBHvwzzTPD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C84.tmp"
2⤵
- Creates scheduled task(s)
PID:4080

C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe
"C:\Users\Admin\AppData\Local\Temp\Products Details and Order reference.exe"
2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 2212
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Details and Order reference.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/632-121-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/632-117-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/632-118-0x0000000005150000-0x000000000564E000-memory.dmp

Filesize
5.0MB

Download
memory/632-119-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/632-120-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/632-122-0x0000000006150000-0x00000000061E4000-memory.dmp

Filesize
592KB

Download
memory/632-116-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3424-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3424-125-0x0000000000472BFE-mapping.dmp

Download
memory/3424-130-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3424-131-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4080-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads