matiex | 5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e

General

Target

5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
Size

463KB
MD5

81410395168c758d78cfbd5494638a4b
SHA1

7617905ea5b349e2730b74555d923af2765403df
SHA256

5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e
SHA512

dc9d785e013b0490a809f1bc2052f9c63b3eadb96c1b0808085261411d35f628a9bc83940b163a57d2c544af18b5aa48baa0c17f5c7810883b183977530db049

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
[email protected]
Password:
italik2015

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4968-139-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

description	pid	process	target process
PID 1728 set thread context of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

216 schtasks.exe

pid	process
216	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

description	pid	process	target process
PID 1728 wrote to memory of 216	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	schtasks.exe
PID 1728 wrote to memory of 216	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	schtasks.exe
PID 1728 wrote to memory of 216	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	schtasks.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
PID 1728 wrote to memory of 4968	1728	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe	5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe

C:\Users\Admin\AppData\Local\Temp\5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
"C:\Users\Admin\AppData\Local\Temp\5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NjIKDYqFyXTnrv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7BB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:216
- C:\Users\Admin\AppData\Local\Temp\5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe
  "{path}"
  2⤵
  PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5da5578035df5cd6d4853b66f68e1a1c1f074da1b1f90fc2282f5694cffa8d0e.exe.log

MD5
6f8f3a9a57cb30e686d3355e656031e0

SHA1
acccd6befb1a2f40e662280bc5182e086a0d079b

SHA256
283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea

SHA512
8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7BB.tmp

MD5
3804cc31b1d8346adc4bcc88db86ab1b

SHA1
f54218db35f12f3d8e7da9230c6111f98891279d

SHA256
4d9bb7d152566f37b7b1c2ce3643cfaefc4bd8b89d1846f0d0f866393e565689

SHA512
f4c066548d14161b208db4f0a2f41f67f7d0a4d0e55cd24088aed88969b9944b577a63fba4d6e973e9c8ce29b381b884c9a6c0dc140ccaa3dcedc2ec3b0159d4

Download Submit
memory/1728-130-0x0000000000770000-0x00000000007EA000-memory.dmp

Filesize
488KB

Download
memory/1728-131-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/1728-132-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1728-133-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1728-134-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/1728-135-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/1728-136-0x0000000007BA0000-0x00000000080CC000-memory.dmp

Filesize
5.2MB

Download
memory/1728-137-0x0000000007710000-0x00000000077AC000-memory.dmp

Filesize
624KB

Download
memory/4968-139-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4968-141-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads