Overview

overview

10

Static

static

1

MUYR09080.exe

windows7_x64

10

MUYR09080.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-02-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MUYR09080.exe

  • Size

    851KB

  • MD5

    4138495cd942b253246d9bd965760aea

  • SHA1

    fb80d388264dd3bd07b9a815958970f495e01021

  • SHA256

    446a9c4fe226595e6a506d2a27c4b433b5651f9f8110ab289371f080a596a779

  • SHA512

    a6c6fe65f34d53d0d8308baeb0ba022512ef9a6ac52e4f56b44eebd11833e37889f694353b0170b5a44df3391e59d23fe59782e97430d639c6bab9462f84165a

Score
10/10
matiexkeyloggerstealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe
    "C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe
      "C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsqC513.tmp\iga871x4ew8c.dll
    MD5

    7198b469fed0af13eabf0cd4031981d5

    SHA1

    b1bde0b35d8d0cfad7134e057124c3c607f8c80e

    SHA256

    b475fabe27e8006a3e4eb34ed5e4a49e2ef69b494c6b96e0abd8dddad3711858

    SHA512

    72c9fbd68463b1b6fe28503088bf8fca086cd4e9323c1d7df09ef45a37ccf34f79bc80eb97d1ebe7adcb4758b824b38e844f02d7198618059182ab3fb16e1fc7

    Download Submit
  • memory/1136-55-0x00000000763B1000-0x00000000763B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1136-57-0x0000000000810000-0x0000000000815000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1516-59-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1516-60-0x0000000004751000-0x0000000004752000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1516-61-0x0000000001F70000-0x0000000001FE6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1516-62-0x0000000004752000-0x0000000004753000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1516-64-0x0000000004754000-0x0000000004755000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1516-63-0x0000000004753000-0x0000000004754000-memory.dmp
    Filesize

    4KB

    Download