Overview

overview

10

Static

static

LlW4ErKRQ3PVoGb.exe

windows7_x64

10

LlW4ErKRQ3PVoGb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    09-02-2022 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LlW4ErKRQ3PVoGb.exe

  • Size

    1.1MB

  • MD5

    5e53df92e2abdbc2305049f51140fec6

  • SHA1

    c9a1d423fed180ec73be60ec740bfc0ae9120f82

  • SHA256

    d3dd7dee8c874b7d1d1d6b5e499dedd7b049d82676213c0a317078a900a78451

  • SHA512

    2f038af89c1fc8747e27f5a6675584954e975bf69917ac50526c06eff007c01b404538df3f9f217d1ab8c1d46c6d25b28360d069025d9cee419e931e75601aaf

Score
10/10
matiexcollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1769394961:AAF5BB35akL859CwVaXypIqpVsGWlaKvi7A/sendMessage?chat_id=1735544933

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe
    "C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OTCGvolJkVNKsE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4256
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OTCGvolJkVNKsE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp621E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3504
    • C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe
      "C:\Users\Admin\AppData\Local\Temp\LlW4ErKRQ3PVoGb.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4124
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:1996
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp621E.tmp
      MD5

      f9b13ac7710fe7ec55af5b49742dd2e2

      SHA1

      f4d6fd880af643391d98a32a4f31d4d11c72070e

      SHA256

      3b5fef01461789ed5b3307771b6f2db4c28d4ce882ad560229fb037a3ba8ee7f

      SHA512

      9fa7044d5d0f402ea7dc4eb95275f40848c6144acf59f974556e77251405e48c783669524fecff0d06f6d6a2d8653d1bd4c9ba2105236ad0e084d13f0a964b26

      Download Submit
    • memory/632-136-0x000001AF559A0000-0x000001AF559B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/632-137-0x000001AF56020000-0x000001AF56030000-memory.dmp
      Filesize

      64KB

      Download
    • memory/632-138-0x000001AF58720000-0x000001AF58724000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1344-131-0x0000000000D10000-0x0000000000E30000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1344-132-0x0000000005DC0000-0x0000000006364000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1344-133-0x0000000005810000-0x00000000058A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1344-134-0x0000000005750000-0x0000000005751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1344-135-0x00000000057D0000-0x00000000057DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1344-139-0x0000000007BF0000-0x0000000007C8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1344-130-0x000000007465E000-0x000000007465F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4124-148-0x000000007465E000-0x000000007465F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4124-147-0x0000000004F70000-0x0000000004FD6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4124-142-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4124-154-0x0000000006C60000-0x0000000006E22000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4124-151-0x0000000005130000-0x0000000005131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4256-140-0x0000000005180000-0x00000000051B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4256-155-0x0000000006D20000-0x0000000006D52000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4256-143-0x00000000058D0000-0x0000000005EF8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4256-149-0x0000000005890000-0x00000000058B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4256-150-0x00000000060A0000-0x0000000006106000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4256-144-0x000000007465E000-0x000000007465F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4256-152-0x0000000006760000-0x000000000677E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4256-153-0x0000000005295000-0x0000000005297000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4256-145-0x0000000005290000-0x0000000005291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4256-146-0x0000000005292000-0x0000000005293000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4256-156-0x000000006FEC0000-0x000000006FF0C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4256-157-0x0000000006CF0000-0x0000000006D0E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4256-158-0x000000007F580000-0x000000007F581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4256-159-0x00000000080C0000-0x000000000873A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4256-160-0x0000000007A70000-0x0000000007A8A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4256-161-0x0000000007AE0000-0x0000000007AEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4256-162-0x0000000007CF0000-0x0000000007D86000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4256-163-0x0000000007CA0000-0x0000000007CAE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4256-164-0x0000000007DB0000-0x0000000007DCA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4256-165-0x0000000007D90000-0x0000000007D98000-memory.dmp
      Filesize

      32KB

      Download