Analysis Overview
SHA256
3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab
Threat Level: Known bad
The file 3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab was found to be: Known bad.
Malicious Activity Summary
Matiex
Matiex Main Payload
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-18 12:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-18 12:53
Reported
2022-04-18 19:19
Platform
win7-20220414-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1844 set thread context of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aHjTIpAw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp"
C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
Files
memory/1844-54-0x0000000001100000-0x00000000011D2000-memory.dmp
memory/1844-55-0x00000000003C0000-0x00000000003DE000-memory.dmp
memory/1844-56-0x00000000055F0000-0x00000000056E2000-memory.dmp
memory/1420-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp
| MD5 | aeead3e8f9dfce5bf75608cea87990e7 |
| SHA1 | 72a670a3c7694bc26f06ce698d83969882250791 |
| SHA256 | 49c95e8691f0ed57d849b9b854a547d3e1096fb2c79e25d414c2040ba53e7608 |
| SHA512 | a253e1dc30817ee693e3574ceede69c2a4af2e165ec99dccffc075786ea675eac0b7455508d21cc17b2f96343f2a9ad78753f3b6cde70285d395aec587ef046a |
memory/1220-59-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-60-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-62-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-63-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-64-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-65-0x00000000004709CE-mapping.dmp
memory/1220-67-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1220-69-0x0000000000400000-0x0000000000476000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-18 12:53
Reported
2022-04-18 19:19
Platform
win10v2004-20220414-en
Max time kernel
153s
Max time network
154s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 432 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aHjTIpAw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp"
C:\Users\Admin\AppData\Local\Temp\3345b3680b62996cf0e617dca35459ba8cadd9eacc0cfce472c96e4e2bf1b2ab.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.21.126:80 | tcp | |
| NL | 52.109.88.35:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.96.0:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | mail.salujaford.in | udp |
| US | 199.101.134.84:587 | mail.salujaford.in | tcp |
Files
memory/432-130-0x0000000000E50000-0x0000000000F22000-memory.dmp
memory/432-131-0x0000000005EC0000-0x0000000006464000-memory.dmp
memory/432-132-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/432-133-0x00000000058E0000-0x00000000058EA000-memory.dmp
memory/432-134-0x0000000007D60000-0x0000000007DFC000-memory.dmp
memory/4452-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp
| MD5 | 143bb0ac9098f64fc9d5ee7aa64f4ea3 |
| SHA1 | e82f6722d957c29c923d4916bbed6e7ed07c8d1c |
| SHA256 | 3cdea0c163d46980f01fbbee613a3c75bd0b0d8e94a4a8c1fb77240b6f217021 |
| SHA512 | acde8cd67572fd43e22d8e36e6e7bd4f6b9bb978f5c183f9ea8a0e98fd473e303a9906587132bb0ddf81f1f2370918f2568bb14c3b1d89ae09ffe06ed51b5a61 |
memory/2836-137-0x0000000000000000-mapping.dmp
memory/2836-138-0x0000000000400000-0x0000000000476000-memory.dmp
memory/2836-139-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/2868-140-0x0000000000000000-mapping.dmp
memory/2836-141-0x0000000006720000-0x00000000068E2000-memory.dmp