matiex | 44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf

General

Target

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Size

206KB
MD5

386f1bf4e2814eeee955fa8003fb7753
SHA1

5549b5b787a80012e9d6da305567a77d790cc9a4
SHA256

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf
SHA512

fb05890dd28745f3c294a591394e86b8aed61bc7b7dd265ea3bc147303d2b95808cf02093c6c628cb02a6607909415a84a1819c7998c1ec5f0e98bc8852b4509

Score

10^/10

matiex collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
pro02.emailserver.vn
Port:
587
Username:
[email protected]
Password:
lv123456
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1000-65-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1000-67-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1000-69-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1000-71-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1000-73-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\P.O 0012150746 = "\"C:\\Users\\Admin\\AppData\\Roaming\\P.O 0012150746 .exe\""	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
12 freegeoip.app
13 freegeoip.app

flow	ioc
8	checkip.dyndns.org
12	freegeoip.app
13	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	pid	process	target process
PID 756 set thread context of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exepowershell.exe44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

pid	process
756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
1396	powershell.exe
1000	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Token: SeDebugPrivilege	1000	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exeWScript.exe

outlook_office_path 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

outlook_win_path 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
"C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zFkybotkiljgxan.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\P.O 0012150746 .exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zFkybotkiljgxan.vbs
MD5
88cb55eef1ee371e2ac5851bbc8b542e

SHA1
13ccb1f3bd4d11ca953c5470af7a5cd1d3de1b49

SHA256
9cf37b29f3f9c930de5fa89ea0bb38db2b71547ce8739fb72b6ea1b9e7b03b8a

SHA512
dd3667da0c242cf68bb5568e03f8618165c5eedf4556dba0e3de901e6b32f066100a33924a6320990328df469654d7fa4dbdef388a0a95533688e5e5b4ffc63b

Download Submit
memory/756-54-0x0000000000AC0000-0x0000000000AFA000-memory.dmp

Filesize
232KB

Download
memory/756-55-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/756-56-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/756-57-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/756-58-0x0000000000620000-0x0000000000644000-memory.dmp

Filesize
144KB

Download
memory/1000-67-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-73-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-65-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-69-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-71-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-79-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1000-75-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1336-62-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1396-77-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1396-76-0x00000000706B0000-0x0000000070C5B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-81-0x0000000002572000-0x0000000002574000-memory.dmp

Filesize
8KB

Download
memory/1396-80-0x0000000002571000-0x0000000002572000-memory.dmp

Filesize
4KB

Download
memory/1396-78-0x00000000706B0000-0x0000000070C5B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 756 wrote to memory of 1336	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 756 wrote to memory of 1336	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 756 wrote to memory of 1336	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 756 wrote to memory of 1336	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 756 wrote to memory of 1000	756	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 1336 wrote to memory of 1396	1336	WScript.exe	powershell.exe
PID 1336 wrote to memory of 1396	1336	WScript.exe	powershell.exe
PID 1336 wrote to memory of 1396	1336	WScript.exe	powershell.exe
PID 1336 wrote to memory of 1396	1336	WScript.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads