matiex | 1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303

General

Target

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
Size

714KB
MD5

a1b7c4cb44a36d4f678d43e505890d17
SHA1

9fdc08a85dc110468dbb7839e63269f119fadade
SHA256

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303
SHA512

4deccb22cdf3d9cd814315b54c5fca9f837bb5858be431719e68cdb04a1e69273888007f2bf2a7b2427f76b74f4b566144501587269d4cc07da370be8240fc38

Score

10^/10

matiex collection keylogger spyware stealer

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-57-0x00000000011E0000-0x0000000001296000-memory.dmp	family_matiex
behavioral1/memory/964-59-0x0000000000400000-0x0000000000484000-memory.dmp	family_matiex
behavioral1/memory/964-60-0x0000000001140000-0x00000000011B6000-memory.dmp	family_matiex

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	pid	process	target process
PID 1164 set thread context of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1076 964 WerFault.exe 1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

764 schtasks.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

pid process

1164 1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description pid process

Token: SeDebugPrivilege 964 1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

pid	pid_target	process	target process
1076	964	WerFault.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

pid	process
764	schtasks.exe

pid	process
1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	pid	process
Token: SeDebugPrivilege	964	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.execmd.exe1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	pid	process	target process
PID 1164 wrote to memory of 908	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	cmd.exe
PID 1164 wrote to memory of 908	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	cmd.exe
PID 1164 wrote to memory of 908	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	cmd.exe
PID 1164 wrote to memory of 908	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	cmd.exe
PID 1164 wrote to memory of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
PID 1164 wrote to memory of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
PID 1164 wrote to memory of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
PID 1164 wrote to memory of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
PID 1164 wrote to memory of 964	1164	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
PID 908 wrote to memory of 764	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 764	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 764	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 764	908	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1076	964	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	WerFault.exe
PID 964 wrote to memory of 1076	964	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	WerFault.exe
PID 964 wrote to memory of 1076	964	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	WerFault.exe
PID 964 wrote to memory of 1076	964	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

outlook_win_path 1 IoCs

Processes:

1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe

C:\Users\Admin\AppData\Local\Temp\1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
"C:\Users\Admin\AppData\Local\Temp\1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml"
3⤵
- Creates scheduled task(s)
PID:764

C:\Users\Admin\AppData\Local\Temp\1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe
"C:\Users\Admin\AppData\Local\Temp\1fb4d2c2e31c42e486a28283ba1f9ec1b46643ffe2bbe46b0d096382040fe303.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1180
3⤵
- Program crash
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8fb1ebd850140caa97509d1d746dfb1.xml
MD5
39a7aa8aa4e26ff13dd3e81cc077ff2c

SHA1
2a2f757c27527e69e8ae581e1e5f2cc018ac25bb

SHA256
dc468541de7d0c88600dcf6023a93530851fe5de0c3b6c328cf7fc2d82fd81e7

SHA512
3dff013449489584e87c657f8700b20e2d6253d11037cc66656f483d7f0537cef2d2cb08ab7aef42a64a03cff5321676c489fb05a514aecc6eec31f5ee6e6434

Download Submit
memory/964-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/964-60-0x0000000001140000-0x00000000011B6000-memory.dmp

Filesize
472KB

Download
memory/964-61-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/964-62-0x00000000003C1000-0x00000000003C2000-memory.dmp

Filesize
4KB

Download
memory/964-64-0x00000000003C3000-0x00000000003C4000-memory.dmp

Filesize
4KB

Download
memory/964-63-0x00000000003C2000-0x00000000003C3000-memory.dmp

Filesize
4KB

Download
memory/964-65-0x00000000003C4000-0x00000000003C5000-memory.dmp

Filesize
4KB

Download
memory/1164-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x00000000011E0000-0x0000000001296000-memory.dmp

Filesize
728KB

Download
memory/1164-57-0x00000000011E0000-0x0000000001296000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads