matiex | 8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9

General

Target

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
Size

714KB
MD5

c49115957fee15612db753d73b57cce5
SHA1

bb17085140aa44761bae46b209dbd8ac20f6ce4e
SHA256

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9
SHA512

b4c4c59816b19c01fe61bebb364b5901e75f0704f9c98bcac1fe7292043175e5b21c9208f09a119ce2fea4e0ecdec535a7e639565a9daff05f73d34994601bd8

Score

10^/10

matiex collection keylogger spyware stealer

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-57-0x0000000001230000-0x00000000012E6000-memory.dmp	family_matiex
behavioral1/memory/588-59-0x0000000000400000-0x0000000000484000-memory.dmp	family_matiex
behavioral1/memory/588-62-0x0000000000380000-0x00000000003F6000-memory.dmp	family_matiex

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	pid	process	target process
PID 1704 set thread context of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1200 588 WerFault.exe 8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1116 schtasks.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

pid process

1704 8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description pid process

Token: SeDebugPrivilege 588 8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

pid	pid_target	process	target process
1200	588	WerFault.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

pid	process
1116	schtasks.exe

pid	process
1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	pid	process
Token: SeDebugPrivilege	588	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.execmd.exe8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	pid	process	target process
PID 1704 wrote to memory of 1088	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	cmd.exe
PID 1704 wrote to memory of 1088	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	cmd.exe
PID 1704 wrote to memory of 1088	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	cmd.exe
PID 1704 wrote to memory of 1088	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	cmd.exe
PID 1704 wrote to memory of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
PID 1704 wrote to memory of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
PID 1704 wrote to memory of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
PID 1704 wrote to memory of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
PID 1704 wrote to memory of 588	1704	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
PID 1088 wrote to memory of 1116	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1116	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1116	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1116	1088	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1200	588	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	WerFault.exe
PID 588 wrote to memory of 1200	588	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	WerFault.exe
PID 588 wrote to memory of 1200	588	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	WerFault.exe
PID 588 wrote to memory of 1200	588	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

outlook_win_path 1 IoCs

Processes:

8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe

C:\Users\Admin\AppData\Local\Temp\8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
"C:\Users\Admin\AppData\Local\Temp\8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
3⤵
- Creates scheduled task(s)
PID:1116

C:\Users\Admin\AppData\Local\Temp\8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe
"C:\Users\Admin\AppData\Local\Temp\8084d00ab4f95726557c2183e07610caf668448e69e4bfed8b925e763b42c9a9.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1136
3⤵
- Program crash
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml
MD5
39a7aa8aa4e26ff13dd3e81cc077ff2c

SHA1
2a2f757c27527e69e8ae581e1e5f2cc018ac25bb

SHA256
dc468541de7d0c88600dcf6023a93530851fe5de0c3b6c328cf7fc2d82fd81e7

SHA512
3dff013449489584e87c657f8700b20e2d6253d11037cc66656f483d7f0537cef2d2cb08ab7aef42a64a03cff5321676c489fb05a514aecc6eec31f5ee6e6434

Download Submit
memory/588-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/588-60-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/588-61-0x00000000010C1000-0x00000000010C2000-memory.dmp

Filesize
4KB

Download
memory/588-62-0x0000000000380000-0x00000000003F6000-memory.dmp

Filesize
472KB

Download
memory/588-64-0x00000000010C3000-0x00000000010C4000-memory.dmp

Filesize
4KB

Download
memory/588-63-0x00000000010C2000-0x00000000010C3000-memory.dmp

Filesize
4KB

Download
memory/588-65-0x00000000010C4000-0x00000000010C5000-memory.dmp

Filesize
4KB

Download
memory/1704-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmp

Filesize
8KB

Download
memory/1704-55-0x0000000001230000-0x00000000012E6000-memory.dmp

Filesize
728KB

Download
memory/1704-57-0x0000000001230000-0x00000000012E6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads