Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 13:00
General
-
Target
467890987654323456789098765432345678.exe
-
Size
299KB
-
MD5
e04c69c79193ccaac508fe7279a1804f
-
SHA1
75930a5d0e35815f213475e7af644f19f4ed14bf
-
SHA256
56f473eb624769a6eb77762eba09ecfbb6e25f513e4280207de5ae06663e5452
-
SHA512
fcf2671f30495f16fe2a8399f2536bb2e193ea774aa5e0f6f30f861eb0f145a43217522ddfb8af401cb41d92f5043cf8b9f6580aaff80006525b6cd5810674c9
Malware Config
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"C:\Users\Admin\AppData\Local\Temp\467890987654323456789098765432345678.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 11523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyCC08.tmp\gememaop.dllMD5
cea2c1f8c33480b4194e50513bda2117
SHA1edad90b4aaff17a6cad7577a64d607750635275e
SHA256dcc77f4cf402ac1bb45d437ea154dec3a509bba62cc9c23833d262d3152a5e06
SHA51237c49bed21825573f5f88433d7b844ce4c10c31c0fc15cd690f1b4eeeecf3c4192b1639f3974e22da799f275a0af457f817300c4be3f52f102105a2ddf571e85
-
memory/524-56-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/524-58-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/524-59-0x0000000004581000-0x0000000004582000-memory.dmpFilesize
4KB
-
memory/524-60-0x00000000045C0000-0x0000000004632000-memory.dmpFilesize
456KB
-
memory/524-61-0x0000000004582000-0x0000000004583000-memory.dmpFilesize
4KB
-
memory/524-62-0x0000000004583000-0x0000000004584000-memory.dmpFilesize
4KB
-
memory/524-63-0x0000000004584000-0x0000000004585000-memory.dmpFilesize
4KB
-
memory/1100-65-0x00000000004A0000-0x00000000004D2000-memory.dmpFilesize
200KB
-
memory/1628-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB