matiex | 382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7

General

Target

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
Size

418KB
MD5

1fb9ed11df573b8d7b760c35555303f8
SHA1

0ff20a1f73b225c8efc056fd38bbc71b7110a666
SHA256

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7
SHA512

7ab5dd57f8969570537e89397b8151e0f9eb3e99da73c53a403c0aa92806729a2bc7b9e35e9d669057e9a24d6bce20254dd6cc1937e545ec7db30c57c6f9af1d

Score

10^/10

matiex evasion keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: ftp
Host:
ftp://ftp.diamondassetinvest.com/
Port:
21
Username:
[email protected]
Password:
Kilimanjaro@123

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1604-63-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral1/memory/1604-64-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral1/memory/1604-65-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral1/memory/1604-66-0x000000000047219E-mapping.dmp	family_matiex
behavioral1/memory/1604-68-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex
behavioral1/memory/1604-70-0x0000000000400000-0x0000000000478000-memory.dmp	family_matiex

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

description	pid	process	target process
PID 1692 set thread context of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1440 schtasks.exe

pid	process
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

pid	process
1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

description	pid	process
Token: SeDebugPrivilege	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
Token: SeDebugPrivilege	1604	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

description	pid	process	target process
PID 1692 wrote to memory of 1440	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	schtasks.exe
PID 1692 wrote to memory of 1440	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	schtasks.exe
PID 1692 wrote to memory of 1440	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	schtasks.exe
PID 1692 wrote to memory of 1440	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	schtasks.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
PID 1692 wrote to memory of 1604	1692	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe	382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe

C:\Users\Admin\AppData\Local\Temp\382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
"C:\Users\Admin\AppData\Local\Temp\382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HXdZwyHsW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5699.tmp"
2⤵
- Creates scheduled task(s)
PID:1440

C:\Users\Admin\AppData\Local\Temp\382292e13fba8db3e1e50b6d7e604274a70c07418e09fa9b3b1532b20df6c6d7.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5699.tmp
Filesize
1KB

MD5
493ad4dc4169b87ef4f6ccb2d100eaf8

SHA1
892617f2185f4f04ac5a93dbc4020741ab1dddbc

SHA256
a48cc050c3900ead3cc7565dbb51baad4b340059255d7527c9cea41860bbe507

SHA512
ff9f1164a9f07dbc626d00e256b0098b6ddcafa64e390f622a1edd4819dacb33f6a40068b36edaf72a78270f0ce5b6e52964b96557ff008e9d75b13204204e57

Download Submit
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1604-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-66-0x000000000047219E-mapping.dmp

Download
memory/1604-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1604-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1692-57-0x00000000099A0000-0x0000000009A42000-memory.dmp

Filesize
648KB

Download
memory/1692-56-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1692-55-0x0000000000C00000-0x0000000000C5E000-memory.dmp

Filesize
376KB

Download
memory/1692-54-0x0000000000340000-0x00000000003B2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads