Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-02-2022 15:25
General
-
Target
MUYR09080.exe
-
Size
851KB
-
MD5
4138495cd942b253246d9bd965760aea
-
SHA1
fb80d388264dd3bd07b9a815958970f495e01021
-
SHA256
446a9c4fe226595e6a506d2a27c4b433b5651f9f8110ab289371f080a596a779
-
SHA512
a6c6fe65f34d53d0d8308baeb0ba022512ef9a6ac52e4f56b44eebd11833e37889f694353b0170b5a44df3391e59d23fe59782e97430d639c6bab9462f84165a
Malware Config
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 47 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"C:\Users\Admin\AppData\Local\Temp\MUYR09080.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsm27D5.tmp\iga871x4ew8c.dllMD5
7198b469fed0af13eabf0cd4031981d5
SHA1b1bde0b35d8d0cfad7134e057124c3c607f8c80e
SHA256b475fabe27e8006a3e4eb34ed5e4a49e2ef69b494c6b96e0abd8dddad3711858
SHA51272c9fbd68463b1b6fe28503088bf8fca086cd4e9323c1d7df09ef45a37ccf34f79bc80eb97d1ebe7adcb4758b824b38e844f02d7198618059182ab3fb16e1fc7
-
memory/380-131-0x0000000002550000-0x0000000002555000-memory.dmpFilesize
20KB
-
memory/648-132-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/648-134-0x0000000004A22000-0x0000000004A23000-memory.dmpFilesize
4KB
-
memory/648-133-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/648-135-0x0000000004A23000-0x0000000004A24000-memory.dmpFilesize
4KB
-
memory/648-136-0x0000000004B20000-0x0000000004BBC000-memory.dmpFilesize
624KB
-
memory/648-137-0x0000000004BC0000-0x0000000004C26000-memory.dmpFilesize
408KB
-
memory/648-138-0x0000000004A24000-0x0000000004A25000-memory.dmpFilesize
4KB
-
memory/648-139-0x0000000005BE0000-0x0000000006184000-memory.dmpFilesize
5.6MB