matiex | 8dd97dc341e72b4830a7375c3e51de56ac35b91a31498d2dbeba929846d6129e

General

Target

wCRnCAMZ3yT8BQ2.exe
Size

938KB
MD5

2363f93331fc792ae9cb5750043bdc89
SHA1

2fc0b7b4106a28ffe7f63f36ff64fe045e8f7daa
SHA256

08c29dfa0ccb747751c5ff3ccde88f7f8a5a87152121f75f60a886b14e86bf00
SHA512

a4a47c39e03c22844725b51ffd56f3ae01e9095733e8442eaba1fcf0e3a0e1edb127a6bf4b5ab8063614829db27919dea5a0e62f9e7d320e625fc498a603ad3e

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral8/memory/856-138-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wCRnCAMZ3yT8BQ2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wCRnCAMZ3yT8BQ2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wCRnCAMZ3yT8BQ2.exe

description pid process target process

PID 3076 set thread context of 856 3076 wCRnCAMZ3yT8BQ2.exe wCRnCAMZ3yT8BQ2.exe

description	pid	process	target process
PID 3076 set thread context of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3976 schtasks.exe

pid	process
3976	schtasks.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.029511"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.649355"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4328"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4168"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901203191582435"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

wCRnCAMZ3yT8BQ2.exe

pid process

3076 wCRnCAMZ3yT8BQ2.exe

pid	process
3076	wCRnCAMZ3yT8BQ2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe
Token: SeRestorePrivilege	3420	TiWorker.exe
Token: SeSecurityPrivilege	3420	TiWorker.exe
Token: SeBackupPrivilege	3420	TiWorker.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wCRnCAMZ3yT8BQ2.exe

description	pid	process	target process
PID 3076 wrote to memory of 3976	3076	wCRnCAMZ3yT8BQ2.exe	schtasks.exe
PID 3076 wrote to memory of 3976	3076	wCRnCAMZ3yT8BQ2.exe	schtasks.exe
PID 3076 wrote to memory of 3976	3076	wCRnCAMZ3yT8BQ2.exe	schtasks.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe
PID 3076 wrote to memory of 856	3076	wCRnCAMZ3yT8BQ2.exe	wCRnCAMZ3yT8BQ2.exe

C:\Users\Admin\AppData\Local\Temp\wCRnCAMZ3yT8BQ2.exe
"C:\Users\Admin\AppData\Local\Temp\wCRnCAMZ3yT8BQ2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXbGRRvcbY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B43.tmp"
2⤵
- Creates scheduled task(s)
PID:3976

C:\Users\Admin\AppData\Local\Temp\wCRnCAMZ3yT8BQ2.exe
"{path}"
2⤵
PID:856

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3564

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3B43.tmp

MD5
0c123879e4e014034dd6f1409878f557

SHA1
39c032b0dfc209175e0b544b31a679c1fd36673c

SHA256
d881c68e5bb8912046033fe9618922bc3c95ce1e1c4923c86033da4095a9f475

SHA512
45b1086e671ef2fe473748af71d9c3a2e4ca769cea690adc9c2bfe13877a7c26a4d84042ec752f09a2ce75f837e9b740704438e178110a72453c79a16951b2df

Download Submit
memory/856-138-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/856-139-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/856-140-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/856-141-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3076-130-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/3076-131-0x0000000000CF0000-0x0000000000DE0000-memory.dmp

Filesize
960KB

Download
memory/3076-132-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/3076-133-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/3076-134-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3076-135-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

Filesize
40KB

Download
memory/3076-136-0x0000000007BE0000-0x0000000007C7C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads