matiex | 0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971

General

Target

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
Size

664KB
MD5

329d395b6edfc1c931bbd0c9dd8b5be5
SHA1

d6cbbeaec3e3571acc01470b01ea4e926e9a4a50
SHA256

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971
SHA512

6ae1fb8aa6dd4fbbf0d70587bbf6ff291514ef33d2b4699d50a9ccac55b692a457a6d94dc7afca611d781d12da47c65c505314faf2015f34141639bcd263bff1

Score

10^/10

matiex collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
kerekesfoto.com
Port:
587
Username:
[email protected]
Password:
^VrNT3@F81sT
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-63-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/836-64-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/836-65-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex
behavioral1/memory/836-66-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\May_Order Sheet = "\"C:\\Users\\Admin\\AppData\\Roaming\\May_Order Sheet.exe\""	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org

flow	ioc
8	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

description	pid	process	target process
PID 1788 set thread context of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exepowershell.exe

pid process

1788 0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
1328 powershell.exe

pid	process
1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
1328	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
Token: SeDebugPrivilege	836	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exeWScript.exe

description	pid	process	target process
PID 1788 wrote to memory of 112	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	WScript.exe
PID 1788 wrote to memory of 112	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	WScript.exe
PID 1788 wrote to memory of 112	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	WScript.exe
PID 1788 wrote to memory of 112	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	WScript.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 1788 wrote to memory of 836	1788	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
PID 112 wrote to memory of 1328	112	WScript.exe	powershell.exe
PID 112 wrote to memory of 1328	112	WScript.exe	powershell.exe
PID 112 wrote to memory of 1328	112	WScript.exe	powershell.exe
PID 112 wrote to memory of 1328	112	WScript.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

outlook_win_path 1 IoCs

Processes:

0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe

C:\Users\Admin\AppData\Local\Temp\0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
"C:\Users\Admin\AppData\Local\Temp\0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zScjhszlm.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\May_Order Sheet.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Users\Admin\AppData\Local\Temp\0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
C:\Users\Admin\AppData\Local\Temp\0ae903ec33ad4f930697e461f869e86410dc4d22cf26de40f5775283c002d971.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zScjhszlm.vbs
MD5
b910210df5a4e96b83f11214708ea633

SHA1
b4368f43de269090f84739642a2d9ccec2b56a2a

SHA256
6fe84bd69125b1501ae0d8a298c581c1a6ae8aa1c09d779176658067dc62c66f

SHA512
fd2cafa2d9626a4297919250d74b8b9d76fcb706af8645f115fac16f7e47ef48796ac43d38b1e3bf2364403c652d181d6a9c809b556b921cb1c4ba7e7d3dac5b

Download Submit
memory/112-60-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/836-64-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-65-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-68-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/836-69-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/836-66-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-61-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-62-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-63-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1328-70-0x000000006F7D1000-0x000000006F7D2000-memory.dmp

Filesize
4KB

Download
memory/1328-71-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1328-72-0x000000006F7D2000-0x000000006F7D4000-memory.dmp

Filesize
8KB

Download
memory/1328-74-0x0000000002732000-0x0000000002734000-memory.dmp

Filesize
8KB

Download
memory/1328-73-0x0000000002731000-0x0000000002732000-memory.dmp

Filesize
4KB

Download
memory/1788-54-0x00000000009F0000-0x0000000000A9C000-memory.dmp

Filesize
688KB

Download
memory/1788-57-0x0000000004CF0000-0x0000000004D6E000-memory.dmp

Filesize
504KB

Download
memory/1788-55-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/1788-56-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1788-58-0x0000000000990000-0x00000000009B0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads