matiex | e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087

General

Target

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
Size

970KB
MD5

4dec4e571974acfd903c9c9e6d554e19
SHA1

b7503c0e814605983b0b896dc71f354be2f410a2
SHA256

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087
SHA512

089772ffba6de7c359b1cb8c49b1cd6b6c002a932c01bf74f49023df515ae241429821184cc59e168e52e003730f89706b148c716954a00594b70f603aa0969d

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
vbdftvthblxjhmhi

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1732-139-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 checkip.dyndns.org

flow	ioc
34	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

description	pid	process	target process
PID 2920 set thread context of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3536 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

description pid process

Token: SeDebugPrivilege 1732 e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

pid	process
3536	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1732	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

description	pid	process	target process
PID 2920 wrote to memory of 3536	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	schtasks.exe
PID 2920 wrote to memory of 3536	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	schtasks.exe
PID 2920 wrote to memory of 3536	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	schtasks.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
PID 2920 wrote to memory of 1732	2920	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe	e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe

C:\Users\Admin\AppData\Local\Temp\e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
"C:\Users\Admin\AppData\Local\Temp\e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\weVsPguwy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA26A.tmp"
2⤵
- Creates scheduled task(s)
PID:3536

C:\Users\Admin\AppData\Local\Temp\e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe
"C:\Users\Admin\AppData\Local\Temp\e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e97eb4c69c852bc11196e42af00aac74903f6093f253bdab650df2c747df1087.exe.log
Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA26A.tmp
Filesize
1KB

MD5
593ed8e580ee7ff3a00998f1a092ca89

SHA1
2a45cc85116ea84205558c47a332d8de5c5bb502

SHA256
9da30d2aedab802a8b02ed76a6148c4a87a74cf6d9e55ce5e8ee583c6253bec2

SHA512
262af3421ad43381bcd6de89b19129c3ea9c82f60516d80d3f8eb251c6e28005dad1ff442c99ac9882344bc7ac0e24082adf5a44f6ba95331ce70fda5ad93c32

Download Submit
memory/1732-138-0x0000000000000000-mapping.dmp

Download
memory/1732-139-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1732-141-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/2920-130-0x00000000001C0000-0x00000000002B8000-memory.dmp

Filesize
992KB

Download
memory/2920-131-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/2920-132-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/2920-133-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/2920-134-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/2920-135-0x0000000004F50000-0x0000000004FA6000-memory.dmp

Filesize
344KB

Download
memory/3536-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads