matiex | 108f33743a4ef5a5008a666449da79ba8505820db73e7e5098cb90c2cdd0ee66

General

Target

SsSuaeML7312gbk.exe
Size

683KB
MD5

b228b9a2a36d06fd91d942e464ef16bd
SHA1

8a974471c6336b046f08d17d8ba4c31d7d151b9c
SHA256

108f33743a4ef5a5008a666449da79ba8505820db73e7e5098cb90c2cdd0ee66
SHA512

cb14152f1284087fd4206a27eea79cc4d2f568f3fbc1e1962cf64d1e5b97a4c8d4cce1925fe910dea421f401e8d5c07cf0c632405ff2e26f72873662f9a3ad09

Score

10^/10

matiex collection keylogger spyware stealer suricata

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1962824736:AAECUA300NkJ2NuTf0cKgva_k26j1y0NNHk/sendMessage?chat_id=457082756

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/908-139-0x0000000000400000-0x000000000048C000-memory.dmp	family_matiex
behavioral2/memory/908-140-0x000000000046E0DE-mapping.dmp	family_matiex
behavioral2/memory/908-163-0x0000000004EC0000-0x00000000053BE000-memory.dmp	family_matiex

suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata
Drops startup file 1 IoCs

Processes:

SsSuaeML7312gbk.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regeditt.url SsSuaeML7312gbk.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regeditt.url	SsSuaeML7312gbk.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

SsSuaeML7312gbk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SsSuaeML7312gbk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SsSuaeML7312gbk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SsSuaeML7312gbk.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 freegeoip.app
32 freegeoip.app
29 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SsSuaeML7312gbk.exe

description pid process target process

PID 3996 set thread context of 908 3996 SsSuaeML7312gbk.exe SsSuaeML7312gbk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3752 schtasks.exe

flow	ioc
31	freegeoip.app
32	freegeoip.app
29	checkip.dyndns.org

description	pid	process	target process
PID 3996 set thread context of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe

pid	process
3752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

SsSuaeML7312gbk.exepowershell.exepowershell.exeSsSuaeML7312gbk.exe

pid	process
3996	SsSuaeML7312gbk.exe
3996	SsSuaeML7312gbk.exe
3728	powershell.exe
2256	powershell.exe
3728	powershell.exe
2256	powershell.exe
2256	powershell.exe
3728	powershell.exe
908	SsSuaeML7312gbk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SsSuaeML7312gbk.exepowershell.exepowershell.exeSsSuaeML7312gbk.exe

description	pid	process
Token: SeDebugPrivilege	3996	SsSuaeML7312gbk.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	908	SsSuaeML7312gbk.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SsSuaeML7312gbk.exe

description	pid	process	target process
PID 3996 wrote to memory of 2256	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 2256	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 2256	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 3728	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 3728	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 3728	3996	SsSuaeML7312gbk.exe	powershell.exe
PID 3996 wrote to memory of 3752	3996	SsSuaeML7312gbk.exe	schtasks.exe
PID 3996 wrote to memory of 3752	3996	SsSuaeML7312gbk.exe	schtasks.exe
PID 3996 wrote to memory of 3752	3996	SsSuaeML7312gbk.exe	schtasks.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe
PID 3996 wrote to memory of 908	3996	SsSuaeML7312gbk.exe	SsSuaeML7312gbk.exe

outlook_office_path 1 IoCs

Processes:

SsSuaeML7312gbk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SsSuaeML7312gbk.exe

outlook_win_path 1 IoCs

Processes:

SsSuaeML7312gbk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SsSuaeML7312gbk.exe

C:\Users\Admin\AppData\Local\Temp\SsSuaeML7312gbk.exe
"C:\Users\Admin\AppData\Local\Temp\SsSuaeML7312gbk.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SsSuaeML7312gbk.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gEvJkZJcG.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gEvJkZJcG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp486F.tmp"
2⤵
- Creates scheduled task(s)
PID:3752

C:\Users\Admin\AppData\Local\Temp\SsSuaeML7312gbk.exe
"C:\Users\Admin\AppData\Local\Temp\SsSuaeML7312gbk.exe"
2⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SsSuaeML7312gbk.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp486F.tmp
MD5
a25063c6fd168ce48b4c8f0b2f31c4f0

SHA1
e80e543fd045b8d667365d4f5f5d30126afb157c

SHA256
a5d06f6b990a166a3fb4accdfb1709b92e9451008dd1ed60866f96cc96ef7ca4

SHA512
f0f36e6c57c244fb23c6219295fc48d06ecd682cb2a875f9ef28fc66678a20e82ce338812f4c87a675e8dbe6200d98cb30a349489c62515205f668d57d82accb

Download Submit
memory/908-170-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/908-163-0x0000000004EC0000-0x00000000053BE000-memory.dmp

Filesize
5.0MB

Download
memory/908-150-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/908-140-0x000000000046E0DE-mapping.dmp

Download
memory/908-139-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2256-130-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2256-166-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2256-212-0x0000000006E33000-0x0000000006E34000-memory.dmp

Filesize
4KB

Download
memory/2256-209-0x000000007E8E0000-0x000000007E8E1000-memory.dmp

Filesize
4KB

Download
memory/2256-131-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2256-132-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/2256-164-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/2256-161-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/2256-136-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2256-127-0x0000000000000000-mapping.dmp

Download
memory/2256-157-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/2256-153-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/2256-151-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/2256-144-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2256-145-0x0000000006E32000-0x0000000006E33000-memory.dmp

Filesize
4KB

Download
memory/3728-167-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3728-147-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/3728-211-0x000000007EAB0000-0x000000007EAB1000-memory.dmp

Filesize
4KB

Download
memory/3728-210-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/3728-184-0x0000000009110000-0x0000000009143000-memory.dmp

Filesize
204KB

Download
memory/3728-159-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3728-134-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3728-148-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/3728-133-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3728-128-0x0000000000000000-mapping.dmp

Download
memory/3752-129-0x0000000000000000-mapping.dmp

Download
memory/3996-122-0x00000000053C0000-0x00000000058BE000-memory.dmp

Filesize
5.0MB

Download
memory/3996-121-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3996-126-0x0000000006200000-0x0000000006358000-memory.dmp

Filesize
1.3MB

Download
memory/3996-125-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/3996-124-0x0000000005590000-0x0000000005597000-memory.dmp

Filesize
28KB

Download
memory/3996-123-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3996-118-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3996-120-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads