Overview

overview

10

Static

static

weg6tX6TTk78XZ5.exe

windows7_x64

10

weg6tX6TTk78XZ5.exe

windows10-2004_x64

4

Analysis

  • max time kernel
    161s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-02-2022 09:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    weg6tX6TTk78XZ5.exe

  • Size

    1.1MB

  • MD5

    ce11639e100ffbaaf01642df2947b9b1

  • SHA1

    4d4974bd4ebe6a84c44528abd3ab77b82ee84271

  • SHA256

    5f97fdcdf2c5d98b0183c91b0e070693ee0708721f4a5a7e270d752d7740111b

  • SHA512

    87e93e6e0f80d4fded10cc89c2fd3b78bd3503aa27b60765e75a381197c07b6c609e269d354ddc429445bd0aa126d0cf1fa6013847a0c4a05d566af375a50ce1

Score
10/10
matiexkeyloggerstealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Nigerian99

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe
    "C:\Users\Admin\AppData\Local\Temp\weg6tX6TTk78XZ5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwYcYyO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5532.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:408
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1224

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5532.tmp
      MD5

      db68461994fd1b0b19a835723ae100e6

      SHA1

      f784c97afca1c5495653f4ccd6d7e031a61fe40f

      SHA256

      51c2723b218af64831b8129d880352611f6a8a14d7238d4f743d1d04e0e114b7

      SHA512

      f8e76118925ea09167393982c511736121708c43fe48fe6964b26e362302a327ee456458171a91f342f33714abc369c8d53e6dd13eb14b7e6469bb3fa16bae30

      Download Submit
    • memory/1224-64-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-61-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-62-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-63-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-65-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-66-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1224-67-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1600-57-0x00000000072A0000-0x00000000072A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1600-58-0x0000000000530000-0x0000000000558000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1600-59-0x0000000007140000-0x00000000071F0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/1600-56-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1600-55-0x0000000000FF0000-0x0000000001112000-memory.dmp
      Filesize

      1.1MB

      Download