matiex | 44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf

General

Target

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Size

206KB
MD5

386f1bf4e2814eeee955fa8003fb7753
SHA1

5549b5b787a80012e9d6da305567a77d790cc9a4
SHA256

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf
SHA512

fb05890dd28745f3c294a591394e86b8aed61bc7b7dd265ea3bc147303d2b95808cf02093c6c628cb02a6607909415a84a1819c7998c1ec5f0e98bc8852b4509

Score

10^/10

matiex collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
pro02.emailserver.vn
Port:
587
Username:
[email protected]
Password:
lv123456
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3988-137-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P.O 0012150746 = "\"C:\\Users\\Admin\\AppData\\Roaming\\P.O 0012150746 .exe\""	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 checkip.dyndns.org
47 freegeoip.app
48 freegeoip.app

flow	ioc
45	checkip.dyndns.org
47	freegeoip.app
48	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	pid	process	target process
PID 3028 set thread context of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies registry class 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exepowershell.exe44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

pid	process
3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
3980	powershell.exe
3980	powershell.exe
3988	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exepowershell.exe44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	pid	process
Token: SeDebugPrivilege	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3988	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exeWScript.exe

description	pid	process	target process
PID 3028 wrote to memory of 3372	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 3028 wrote to memory of 3372	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 3028 wrote to memory of 3372	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	WScript.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3028 wrote to memory of 3988	3028	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
PID 3372 wrote to memory of 3980	3372	WScript.exe	powershell.exe
PID 3372 wrote to memory of 3980	3372	WScript.exe	powershell.exe
PID 3372 wrote to memory of 3980	3372	WScript.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

outlook_win_path 1 IoCs

Processes:

44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe

C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
"C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zFkybotkiljgxan.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\P.O 0012150746 .exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
C:\Users\Admin\AppData\Local\Temp\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3988

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 0
1⤵
- Checks processor information in registry
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44a661eff11b329b93eccf84e1eb9383201f51ac7751873ca740b46d7493edaf.exe.log
MD5
3c8c1bb0a7c12a212fdf3ba96c6fc9be

SHA1
4d91c3731bdb7d39f4489482b3a218b4fdce7fe1

SHA256
db0f42a48073ece1007980ff023dabe80d592fee88a2a2339a5f99b61ce1138b

SHA512
ec81622905c0905a76768428877b6a2c574d34218b83aad6ed59d61ba68f60082e6f5ad7ebc641e8c32bd1a3feeb2f0a6992a406662f7a021f7c0db322e855f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFkybotkiljgxan.vbs
MD5
88cb55eef1ee371e2ac5851bbc8b542e

SHA1
13ccb1f3bd4d11ca953c5470af7a5cd1d3de1b49

SHA256
9cf37b29f3f9c930de5fa89ea0bb38db2b71547ce8739fb72b6ea1b9e7b03b8a

SHA512
dd3667da0c242cf68bb5568e03f8618165c5eedf4556dba0e3de901e6b32f066100a33924a6320990328df469654d7fa4dbdef388a0a95533688e5e5b4ffc63b

Download Submit
memory/3028-131-0x0000000000940000-0x000000000097A000-memory.dmp

Filesize
232KB

Download
memory/3028-132-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3028-133-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/3028-134-0x0000000005440000-0x00000000054B6000-memory.dmp

Filesize
472KB

Download
memory/3028-135-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3028-130-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3980-159-0x0000000009590000-0x00000000095AE000-memory.dmp

Filesize
120KB

Download
memory/3980-149-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/3980-167-0x0000000009CD0000-0x0000000009CD8000-memory.dmp

Filesize
32KB

Download
memory/3980-166-0x0000000009CF0000-0x0000000009D0A000-memory.dmp

Filesize
104KB

Download
memory/3980-144-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3980-145-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/3980-146-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/3980-165-0x0000000009BE0000-0x0000000009BEE000-memory.dmp

Filesize
56KB

Download
memory/3980-148-0x0000000007840000-0x0000000007E68000-memory.dmp

Filesize
6.2MB

Download
memory/3980-160-0x000000007F070000-0x000000007F071000-memory.dmp

Filesize
4KB

Download
memory/3980-150-0x00000000077F0000-0x0000000007812000-memory.dmp

Filesize
136KB

Download
memory/3980-151-0x0000000007F10000-0x0000000007F76000-memory.dmp

Filesize
408KB

Download
memory/3980-152-0x0000000008520000-0x000000000853E000-memory.dmp

Filesize
120KB

Download
memory/3980-164-0x0000000009C30000-0x0000000009CC6000-memory.dmp

Filesize
600KB

Download
memory/3980-163-0x0000000009A20000-0x0000000009A2A000-memory.dmp

Filesize
40KB

Download
memory/3980-162-0x00000000099B0000-0x00000000099CA000-memory.dmp

Filesize
104KB

Download
memory/3980-156-0x0000000007205000-0x0000000007207000-memory.dmp

Filesize
8KB

Download
memory/3980-157-0x00000000095D0000-0x0000000009602000-memory.dmp

Filesize
200KB

Download
memory/3980-158-0x0000000070150000-0x000000007019C000-memory.dmp

Filesize
304KB

Download
memory/3980-161-0x000000000A000000-0x000000000A67A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-153-0x0000000006BF0000-0x0000000006C82000-memory.dmp

Filesize
584KB

Download
memory/3988-137-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3988-155-0x0000000006B70000-0x0000000006B7A000-memory.dmp

Filesize
40KB

Download
memory/3988-154-0x0000000006E60000-0x0000000007022000-memory.dmp

Filesize
1.8MB

Download
memory/3988-139-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/3988-147-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/3988-142-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3988-140-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads