Overview

overview

10

Static

static

MMMMMUTYYY...3X.exe

windows7_x64

3

MMMMMUTYYY...3X.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    03-02-2022 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MMMMMUTYYYtrhOmoE27QSJu3X.exe

  • Size

    796KB

  • MD5

    acaf6ded35d9b26f5ad943f1cb9f7cae

  • SHA1

    989f2c4d4cca185d62a20e6db00a8451691118d1

  • SHA256

    b070101a217e99f96198bed4917fe82d36f39bb227674e04ddded3faaa3eb289

  • SHA512

    99ce6c746e3a0f7175a7c5c77bb3c50a68ceca15a80f69162c759d40872653767a3f37b5f09eb4f7fea557d8a2847e1fd825cb6a31042afbec0fce30c340027a

Score
10/10
matiexkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

matiex

Credentials

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
    "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pjhLgTuGCcPXYL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pjhLgTuGCcPXYL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDA4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3252
    • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
      "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
      2⤵
        PID:3788
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:3052
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 233cc1c57d4842cbc3adac31b833faa1 3xPo5BvrXUKnC/dapMdD3A.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3264
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpCDA4.tmp
      MD5

      eb0ea269157483c8bf42d152abf99f11

      SHA1

      a1058c6413e9febff2b9f974b38f72b831cb1ec7

      SHA256

      2d9583fb08d7c3690af0b414bde559e0ec44eb8a8674a721cc77ac4e04748ca4

      SHA512

      a99cd0c34b785ff7930e572567da15097bab7391bf0cc2a853fdf6727f3900c3e412097f675171137c15030018a7827620810ced1e9e78917af51e84c0a7bd65

      Download Submit
    • memory/3632-139-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3632-147-0x0000000007430000-0x0000000007496000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3632-145-0x0000000007390000-0x00000000073B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3632-142-0x0000000007610000-0x0000000007C38000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3632-140-0x0000000006FD2000-0x0000000006FD3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3632-138-0x0000000004B10000-0x0000000004B46000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3788-144-0x00000000053D0000-0x0000000005436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3788-143-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3788-146-0x0000000005360000-0x0000000005904000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4072-135-0x0000000000A10000-0x0000000000AAC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4072-134-0x0000000004AD0000-0x0000000004ADA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4072-133-0x0000000004C90000-0x0000000004C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4072-130-0x0000000000060000-0x000000000012E000-memory.dmp
      Filesize

      824KB

      Download
    • memory/4072-132-0x0000000004B50000-0x0000000004BE2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4072-131-0x0000000005260000-0x0000000005804000-memory.dmp
      Filesize

      5.6MB

      Download