Analysis Overview
SHA256
b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443
Threat Level: Known bad
The file b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443 was found to be: Known bad.
Malicious Activity Summary
Meta Stealer Stealer
Matiex Main Payload
Matiex
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks BIOS information in registry
Maps connected drives based on registry
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 01:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 01:04
Reported
2022-04-15 01:34
Platform
win7-20220414-en
Max time kernel
58s
Max time network
127s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1468 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"
C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1252
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
Files
memory/1468-54-0x0000000001120000-0x00000000011A0000-memory.dmp
memory/1468-55-0x0000000000CC0000-0x0000000000CDC000-memory.dmp
memory/1468-56-0x00000000052F0000-0x0000000005390000-memory.dmp
memory/1996-58-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-57-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-60-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-61-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-62-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-63-0x000000000047064E-mapping.dmp
memory/1996-65-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1996-67-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1548-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 01:04
Reported
2022-04-15 01:34
Platform
win10v2004-20220414-en
Max time kernel
131s
Max time network
148s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meta Stealer Stealer
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1332 set thread context of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
"C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe"
C:\Users\Admin\AppData\Local\Temp\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 13.69.109.130:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.96.0:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1332-130-0x0000000000670000-0x00000000006F0000-memory.dmp
memory/1332-131-0x0000000005560000-0x0000000005B04000-memory.dmp
memory/1332-132-0x0000000005090000-0x0000000005122000-memory.dmp
memory/1332-133-0x0000000005240000-0x000000000524A000-memory.dmp
memory/1332-134-0x0000000006140000-0x000000000666C000-memory.dmp
memory/1332-135-0x0000000001000000-0x000000000109C000-memory.dmp
memory/1332-136-0x0000000006050000-0x00000000060B6000-memory.dmp
memory/3272-137-0x0000000000000000-mapping.dmp
memory/3272-138-0x0000000000400000-0x0000000000476000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b097152c915056f81d69ceba4f124165b942c4b6d6c426aaa273c6d183dde443.exe.log
| MD5 | ddde88120da5a6e61cf1c0d1fc3f5c99 |
| SHA1 | aef94de11f90c3e6a99478c03d24aa355a6d0e52 |
| SHA256 | 353067996dbacb8d3ae38dcc754d06b92e34b8511ebe2fda8c2358bbf6b79924 |
| SHA512 | 64994ad92b4751bf3d580ec683e9387d9f05fe44bcb80c343470e992ac793f94f4811ab7c4f2e7240d40d5fe49df8191b781ef994a7c30df1f80940c7b06e8bd |
memory/4480-140-0x0000000000000000-mapping.dmp
memory/3272-141-0x0000000007050000-0x0000000007212000-memory.dmp
memory/3272-142-0x0000000005370000-0x0000000005914000-memory.dmp