matiex | 3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab

General

Target

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
Size

811KB
MD5

f7f85f2d85bc9f27dea6901ce759b6a0
SHA1

340cb9d1e107ecee278e10943cfc83a3e6f17abf
SHA256

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab
SHA512

b9bdac23032c8706f8095c0def0389630b03141f38534fc73d044e7af4bfd2a8848e359b87a0c0044f621c95c7124f49304d2fb2d724347caac34b05eaa8a0b9

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.salujaford.in
Port:
587
Username:
[email protected]
Password:
saluja@#$chd

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1220-62-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1220-63-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1220-64-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1220-65-0x00000000004709CE-mapping.dmp	family_matiex
behavioral1/memory/1220-67-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1220-69-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

description	pid	process	target process
PID 1844 set thread context of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

pid process

1220 3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

description pid process

Token: SeDebugPrivilege 1220 3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

pid	process
1420	schtasks.exe

pid	process
1220	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

description	pid	process
Token: SeDebugPrivilege	1220	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

description	pid	process	target process
PID 1844 wrote to memory of 1420	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	schtasks.exe
PID 1844 wrote to memory of 1420	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	schtasks.exe
PID 1844 wrote to memory of 1420	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	schtasks.exe
PID 1844 wrote to memory of 1420	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	schtasks.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
PID 1844 wrote to memory of 1220	1844	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe	3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe

C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aHjTIpAw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp"
2⤵
- Creates scheduled task(s)
PID:1420

C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp
Filesize
1KB

MD5
aeead3e8f9dfce5bf75608cea87990e7

SHA1
72a670a3c7694bc26f06ce698d83969882250791

SHA256
49c95e8691f0ed57d849b9b854a547d3e1096fb2c79e25d414c2040ba53e7608

SHA512
a253e1dc30817ee693e3574ceede69c2a4af2e165ec99dccffc075786ea675eac0b7455508d21cc17b2f96343f2a9ad78753f3b6cde70285d395aec587ef046a

Download Submit
memory/1220-64-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-59-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-63-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-65-0x00000000004709CE-mapping.dmp

Download
memory/1220-67-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1220-69-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1420-57-0x0000000000000000-mapping.dmp

Download
memory/1844-56-0x00000000055F0000-0x00000000056E2000-memory.dmp

Filesize
968KB

Download
memory/1844-55-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1844-54-0x0000000001100000-0x00000000011D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads