matiex | f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8

General

Target

f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe
Size

595KB
MD5

e6bab12c7456216175a7ed7598d39b02
SHA1

525990e346d2708da8ef38dd0254e49f2c3330b6
SHA256

f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8
SHA512

b90c9d3e55b48d42e165bbe9d12217d2d4c31bcce5ec2590fd2bfb26e068d5dd8d8515eaa6b5e5b98f26e2066142c2a432bbea7ad1f955dfc9a916e3da98dcad

Score

10^/10

matiex collection keylogger stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1402180145:AAG6hmg8QGRGiHQwRXC9wKOtIEyFy3aT6ms/sendMessage?chat_id=1299507057

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4548-136-0x0000000000410000-0x0000000000486000-memory.dmp	family_matiex

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app

flow	ioc
8	checkip.dyndns.org
10	freegeoip.app
11	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe

description	pid	process	target process
PID 4716 set thread context of 4548	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	MSBuild.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4240 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

4548 MSBuild.exe

pid	process
4240	schtasks.exe

pid	process
4548	MSBuild.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe

pid	process
4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe
4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4548 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4548	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.execmd.exeMSBuild.exe

description	pid	process	target process
PID 4716 wrote to memory of 4276	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4716 wrote to memory of 4276	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4716 wrote to memory of 4276	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4716 wrote to memory of 4176	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4716 wrote to memory of 4176	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4716 wrote to memory of 4176	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	cmd.exe
PID 4176 wrote to memory of 4240	4176	cmd.exe	schtasks.exe
PID 4176 wrote to memory of 4240	4176	cmd.exe	schtasks.exe
PID 4176 wrote to memory of 4240	4176	cmd.exe	schtasks.exe
PID 4716 wrote to memory of 4548	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	MSBuild.exe
PID 4716 wrote to memory of 4548	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	MSBuild.exe
PID 4716 wrote to memory of 4548	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	MSBuild.exe
PID 4716 wrote to memory of 4548	4716	f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe	MSBuild.exe
PID 4548 wrote to memory of 4344	4548	MSBuild.exe	netsh.exe
PID 4548 wrote to memory of 4344	4548	MSBuild.exe	netsh.exe
PID 4548 wrote to memory of 4344	4548	MSBuild.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe
"C:\Users\Admin\AppData\Local\Temp\f158a1e36c936286a10c2a463439b7d8b16271ca16838cc92ff2219541ecc8e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"
3⤵
- Creates scheduled task(s)
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4548

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml

Filesize
1KB

MD5
57e80c1cd83971b009db6462dec561e8

SHA1
9890fc3fc7b93bb9dce0c624486307cff2a26927

SHA256
e6cb647c0aee80cbac58f101ba47620657c8cd58f9a0aa91c6f8a4466e4ebc6f

SHA512
acc99eb56c615f669ef933c34ae86a1ba41a5ea5108a211de14107293d0bea7eb45e317bdb9b833b1262a1022fa4aa4462f4f3c6a19fa9481320dbb75ee41dd6

Download Submit
memory/4176-132-0x0000000000000000-mapping.dmp

Download
memory/4240-133-0x0000000000000000-mapping.dmp

Download
memory/4276-130-0x0000000000000000-mapping.dmp

Download
memory/4344-140-0x0000000000000000-mapping.dmp

Download
memory/4548-136-0x0000000000410000-0x0000000000486000-memory.dmp

Filesize
472KB

Download
memory/4548-135-0x0000000000000000-mapping.dmp

Download
memory/4548-137-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/4548-138-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/4548-139-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4548-141-0x0000000005C00000-0x0000000005DC2000-memory.dmp

Filesize
1.8MB

Download
memory/4548-142-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/4548-143-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/4716-131-0x0000000000D10000-0x0000000000D3C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads