Overview

overview

10

Static

static

1

MOT-09800080000.exe

windows7_x64

7

MOT-09800080000.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    07-02-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MOT-09800080000.exe

  • Size

    525KB

  • MD5

    bda2eaf80ab5ed6fd1128d4ae02e2f1b

  • SHA1

    12aa26befa0055398748ae12ae0d04f286c565cb

  • SHA256

    ffcf5fb0cd579ec9b9ce49e2b1eafc62f89fdcb5d418e338cd6dab310a241a2d

  • SHA512

    a34e9c827d29efe8dc44296ee3a1dbd2daa59594125372099d6f1219a455c6d5de934848ca098dee50d0f7dfe09ed1db0337b0f1d7063e94749b24dd4b616087

Score
10/10
matiexcollectionkeyloggerpersistencestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    italik2015

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    srvc13.turhost.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    italik2015

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe
    "C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1736
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:3696
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2052

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsu23CD.tmp\System.dll
      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\oird.dll
      MD5

      422cbf45447722c4464030bc4b4b69d3

      SHA1

      e49c2c126d1a1ff1c5a512f8419d763d6a19c8d1

      SHA256

      8b58260e509fe875f2efd4920b4ab64ded30f70804d12a073237f2d796448b7f

      SHA512

      0f7bf833cccca324be767c6eb972b1898dea5027ceb207b976d4c25198209f648c54bb140b7dfb47757256eb86076e07a78c39a86e73d25b4fa331ab90e65320

      Download Submit
    • memory/1736-136-0x0000000074B40000-0x00000000752F0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1736-133-0x0000000000400000-0x0000000000472000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1736-134-0x0000000005040000-0x00000000050DC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1736-135-0x0000000005690000-0x0000000005C34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1736-137-0x0000000005150000-0x00000000051B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1736-138-0x00000000050E0000-0x0000000005684000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1736-139-0x0000000006730000-0x00000000068F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1736-152-0x0000000006600000-0x0000000006692000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1736-154-0x00000000065D0000-0x00000000065DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1952-132-0x0000000010000000-0x0000000010012000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2624-153-0x000001CE3CF40000-0x000001CE3CF44000-memory.dmp
      Filesize

      16KB

      Download