matiex | b3252b9c8261e4b2d07f31c71dc1c3f0e2032a0fd5aa53ced919e5db104369e6

General

Target

d92555bcd56ec92060ad31e69cdad855.exe
Size

177KB
MD5

d92555bcd56ec92060ad31e69cdad855
SHA1

a9e23881ce5f209ec5b323d546a498ab64233249
SHA256

b3252b9c8261e4b2d07f31c71dc1c3f0e2032a0fd5aa53ced919e5db104369e6
SHA512

c3040d9f91f7976dec23f64a4bebaf11279149e8c765859e7469dae7e7406316516fc9d4d76d57639ee6ebb0d26720379c52c60f7adb3b7fe390f41d509c92aa

Score

10^/10

matiex collection keylogger spyware stealer

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-54-0x00000000000E0000-0x0000000000112000-memory.dmp	family_matiex
behavioral1/memory/1584-55-0x00000000000E0000-0x0000000000112000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

d92555bcd56ec92060ad31e69cdad855.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	d92555bcd56ec92060ad31e69cdad855.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	d92555bcd56ec92060ad31e69cdad855.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	d92555bcd56ec92060ad31e69cdad855.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

688 1584 WerFault.exe d92555bcd56ec92060ad31e69cdad855.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

688 WerFault.exe
688 WerFault.exe
688 WerFault.exe
688 WerFault.exe
688 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

688 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d92555bcd56ec92060ad31e69cdad855.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1584 d92555bcd56ec92060ad31e69cdad855.exe
Token: SeDebugPrivilege 688 WerFault.exe

flow	ioc
4	checkip.dyndns.org

pid	pid_target	process	target process
688	1584	WerFault.exe	d92555bcd56ec92060ad31e69cdad855.exe

pid	process
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe

pid	process
688	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1584	d92555bcd56ec92060ad31e69cdad855.exe
Token: SeDebugPrivilege	688	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d92555bcd56ec92060ad31e69cdad855.exe

description	pid	process	target process
PID 1584 wrote to memory of 688	1584	d92555bcd56ec92060ad31e69cdad855.exe	WerFault.exe
PID 1584 wrote to memory of 688	1584	d92555bcd56ec92060ad31e69cdad855.exe	WerFault.exe
PID 1584 wrote to memory of 688	1584	d92555bcd56ec92060ad31e69cdad855.exe	WerFault.exe
PID 1584 wrote to memory of 688	1584	d92555bcd56ec92060ad31e69cdad855.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

d92555bcd56ec92060ad31e69cdad855.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	d92555bcd56ec92060ad31e69cdad855.exe

outlook_win_path 1 IoCs

Processes:

d92555bcd56ec92060ad31e69cdad855.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	d92555bcd56ec92060ad31e69cdad855.exe

C:\Users\Admin\AppData\Local\Temp\d92555bcd56ec92060ad31e69cdad855.exe
"C:\Users\Admin\AppData\Local\Temp\d92555bcd56ec92060ad31e69cdad855.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1252
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-58-0x0000000000000000-mapping.dmp

Download
memory/688-59-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1584-54-0x00000000000E0000-0x0000000000112000-memory.dmp

Filesize
200KB

Download
memory/1584-55-0x00000000000E0000-0x0000000000112000-memory.dmp

Filesize
200KB

Download
memory/1584-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1584-57-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads