matiex | b190c0b66428b594f7507ae98fcc45e1907cb9cdf618919002791241ae94280f

General

Target

tmp/vbc.exe
Size

1.4MB
MD5

3668f9be040098859e662ba94616cc51
SHA1

3b3ec4ac86c462747a2190c33ca2a4588fcc9310
SHA256

b190c0b66428b594f7507ae98fcc45e1907cb9cdf618919002791241ae94280f
SHA512

54fa8de69114af4fc8ccfa5ef11a82587d3b74b5fa80e6e8d1683e5ce997db5d6ffc1b133ebcf97c226c2aad928696198392faaf184486685f0aa2a048a43dd3

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2084-119-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral2/memory/2084-120-0x000000000047032E-mapping.dmp	family_matiex

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 3208 set thread context of 2084 3208 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2020 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exedw20.exepowershell.exe

pid process

3208 vbc.exe
3208 vbc.exe
2392 dw20.exe
2392 dw20.exe
380 powershell.exe
380 powershell.exe
380 powershell.exe

description	pid	process	target process
PID 3208 set thread context of 2084	3208	vbc.exe	vbc.exe

pid	process
2020	schtasks.exe

pid	process
3208	vbc.exe
3208	vbc.exe
2392	dw20.exe
2392	dw20.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exedw20.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3208	vbc.exe
Token: SeRestorePrivilege	2392	dw20.exe
Token: SeBackupPrivilege	2392	dw20.exe
Token: SeDebugPrivilege	380	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

vbc.exevbc.exe

description	pid	process	target process
PID 3208 wrote to memory of 380	3208	vbc.exe	powershell.exe
PID 3208 wrote to memory of 380	3208	vbc.exe	powershell.exe
PID 3208 wrote to memory of 380	3208	vbc.exe	powershell.exe
PID 3208 wrote to memory of 2020	3208	vbc.exe	schtasks.exe
PID 3208 wrote to memory of 2020	3208	vbc.exe	schtasks.exe
PID 3208 wrote to memory of 2020	3208	vbc.exe	schtasks.exe
PID 3208 wrote to memory of 1648	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 1648	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 1648	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 3208 wrote to memory of 2084	3208	vbc.exe	vbc.exe
PID 2084 wrote to memory of 2392	2084	vbc.exe	dw20.exe
PID 2084 wrote to memory of 2392	2084	vbc.exe	dw20.exe
PID 2084 wrote to memory of 2392	2084	vbc.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SOEtXbQzHDdq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOEtXbQzHDdq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD628.tmp"
2⤵
- Creates scheduled task(s)
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 688
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vbc.exe.log
MD5
8849f2ad959553d9be276cf960a5ca7e

SHA1
b1a4be5cfa443ac6d1df4e4c1d9d6980aadab820

SHA256
acd871ad3e3199dc52b514078fd2c6ee21d6643616d5c9b4cb55760ce03b443b

SHA512
734c2e6526c6d2d8acde6d55bc45fddc1dc1b60adc653828d564d16042cc6939e282aa309d58b3a6f8c30e734b98201cb4a21fe0a3815d6a251093b30ef89115

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD628.tmp
MD5
04e8da8ab6c0d225ca3b47447483b467

SHA1
33a95abb6ee837f2ecb708ab0a776109f72d4ef2

SHA256
9b82a8a9178b577ef2e1e6309807fab4607b84c9434309bd7bad5e53ae105ff8

SHA512
d0780a051ff1f8f746e85d7936b6441326624ac3bcc201f02f5f29e65ac1df88d800ea125446c68ae304a41ebfc0a134328930ae5da5b9f05984cb47b92328b7

Download Submit
memory/380-128-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/380-136-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/380-130-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/380-160-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/380-116-0x0000000000000000-mapping.dmp

Download
memory/380-122-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/380-123-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/380-159-0x000000007F010000-0x000000007F011000-memory.dmp

Filesize
4KB

Download
memory/380-158-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/380-126-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/380-127-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/380-129-0x0000000007082000-0x0000000007083000-memory.dmp

Filesize
4KB

Download
memory/380-153-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/380-223-0x0000000007083000-0x0000000007084000-memory.dmp

Filesize
4KB

Download
memory/380-146-0x0000000009460000-0x0000000009493000-memory.dmp

Filesize
204KB

Download
memory/380-132-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/380-133-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/380-134-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/380-135-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/380-131-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/380-137-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2020-117-0x0000000000000000-mapping.dmp

Download
memory/2084-119-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2084-124-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2084-120-0x000000000047032E-mapping.dmp

Download
memory/2392-125-0x0000000000000000-mapping.dmp

Download
memory/3208-115-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads