Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
tmp/vbc.exe
Resource
win7-en-20211208
General
-
Target
tmp/vbc.exe
-
Size
1.5MB
-
MD5
8e5e31f5dd73631eddc2cb57e0f48a9a
-
SHA1
13bd3cf85edef10be8b60c96334eda4f30eda0ba
-
SHA256
356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d
-
SHA512
43cf5099575d698ffbd13dc82aa76e2358629d52217cd9d019acfb52c87a29e1ef9750dee756d164787544c76cc68464b014e3f17b3236467952ef95215a94d1
Malware Config
Extracted
matiex
https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933
Signatures
-
Matiex Main Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/356-125-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral2/memory/356-126-0x000000000047032E-mapping.dmp family_matiex behavioral2/memory/356-133-0x0000000004F90000-0x000000000502C000-memory.dmp family_matiex -
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
suricata: ET MALWARE Matiex Keylogger Exfil Via Telegram
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 checkip.dyndns.org 34 freegeoip.app 35 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 2772 set thread context of 356 2772 vbc.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 356 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 356 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
vbc.exevbc.exedescription pid process target process PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 2772 wrote to memory of 356 2772 vbc.exe vbc.exe PID 356 wrote to memory of 3132 356 vbc.exe netsh.exe PID 356 wrote to memory of 3132 356 vbc.exe netsh.exe PID 356 wrote to memory of 3132 356 vbc.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:356 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logMD5
f1181bc4bdff57024c4121f645548332
SHA1d431ee3a3a5afcae2c4537b1d445054a0a95f6e6
SHA256f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad
SHA512cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3
-
memory/356-125-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/356-135-0x0000000006840000-0x0000000006841000-memory.dmpFilesize
4KB
-
memory/356-133-0x0000000004F90000-0x000000000502C000-memory.dmpFilesize
624KB
-
memory/356-132-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/356-126-0x000000000047032E-mapping.dmp
-
memory/2772-120-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2772-123-0x0000000008720000-0x0000000008721000-memory.dmpFilesize
4KB
-
memory/2772-124-0x0000000008A90000-0x0000000008C03000-memory.dmpFilesize
1.4MB
-
memory/2772-122-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/2772-121-0x0000000005090000-0x0000000005097000-memory.dmpFilesize
28KB
-
memory/2772-115-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2772-119-0x0000000004E60000-0x000000000535E000-memory.dmpFilesize
5.0MB
-
memory/2772-118-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/2772-117-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3132-134-0x0000000000000000-mapping.dmp