Analysis Overview
SHA256
a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd
Threat Level: Known bad
The file a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd was found to be: Known bad.
Malicious Activity Summary
Matiex family
Matiex Main Payload
Matiex
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 12:25
Signatures
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Matiex family
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 12:25
Reported
2022-04-15 13:16
Platform
win7-20220414-en
Max time kernel
45s
Max time network
146s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 800 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 800 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 800 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe
"C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.15:80 | repository.certum.pl | tcp |
Files
memory/800-54-0x0000000001390000-0x0000000001406000-memory.dmp
memory/1768-55-0x0000000000000000-mapping.dmp
memory/1768-56-0x0000000076561000-0x0000000076563000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 12:25
Reported
2022-04-15 13:16
Platform
win10v2004-20220414-en
Max time kernel
52s
Max time network
107s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3520 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3520 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3520 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe
"C:\Users\Admin\AppData\Local\Temp\a7145677a983c5a94a197cd7668e61accb0bd7c71dac8be00dd14844226699cd.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 52.182.143.208:443 | tcp |
Files
memory/3520-130-0x00000000001F0000-0x0000000000266000-memory.dmp
memory/3520-131-0x0000000004BE0000-0x0000000004C7C000-memory.dmp
memory/3520-132-0x00000000052D0000-0x0000000005874000-memory.dmp
memory/3520-133-0x0000000004D20000-0x0000000004D86000-memory.dmp
memory/4664-134-0x0000000000000000-mapping.dmp
memory/3520-135-0x00000000066B0000-0x0000000006872000-memory.dmp
memory/3520-136-0x0000000006580000-0x0000000006612000-memory.dmp
memory/3520-137-0x0000000006570000-0x000000000657A000-memory.dmp