Overview

overview

10

Static

static

LlW4ErKRQ3PVoGb.exe

windows7_x64

10

LlW4ErKRQ3PVoGb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-02-2022 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LlW4ErKRQ3PVoGb.exe

  • Size

    1.1MB

  • MD5

    5e53df92e2abdbc2305049f51140fec6

  • SHA1

    c9a1d423fed180ec73be60ec740bfc0ae9120f82

  • SHA256

    d3dd7dee8c874b7d1d1d6b5e499dedd7b049d82676213c0a317078a900a78451

  • SHA512

    2f038af89c1fc8747e27f5a6675584954e975bf69917ac50526c06eff007c01b404538df3f9f217d1ab8c1d46c6d25b28360d069025d9cee419e931e75601aaf

Score
10/10
matiexcollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe
    "C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OTCGvolJkVNKsE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OTCGvolJkVNKsE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4634.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:968
    • C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe
      "C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1532
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:1076

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4634.tmp
      MD5

      0d5bfe1ebaf671a7bc9d937aef81ce13

      SHA1

      09fa4ceda30889b800e5e2d990d0911114c34615

      SHA256

      f0ac074ea175ec79c4ef2b69eb48a32b2a3ecfe1ed3faf2ae5dc86953f21a29f

      SHA512

      41a719f6a0ca1a9710a652cdf5a7e2ab1398fd01b684555d5222b072928563161b160ee124660397074b017c93f0d097d2d2355d77a7e35960e2173af6141c08

      Download Submit
    • memory/1268-58-0x0000000000770000-0x000000000077C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1268-57-0x00000000008E0000-0x00000000008E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1268-59-0x0000000005710000-0x0000000005806000-memory.dmp
      Filesize

      984KB

      Download
    • memory/1268-55-0x000000007469E000-0x000000007469F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1268-56-0x0000000001030000-0x0000000001150000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1532-71-0x00000000733EE000-0x00000000733EF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1532-62-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-63-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-64-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-65-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-66-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-67-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1532-74-0x0000000005800000-0x0000000005801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1960-60-0x0000000075F81000-0x0000000075F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1960-72-0x0000000002831000-0x0000000002832000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1960-69-0x0000000002830000-0x0000000002831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1960-70-0x000000006E912000-0x000000006E914000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1960-73-0x0000000002832000-0x0000000002834000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1960-68-0x000000006E911000-0x000000006E912000-memory.dmp
      Filesize

      4KB

      Download