Malware Analysis Report

2024-10-18 23:03

Sample ID 220420-dgcwjaeffp
Target 23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a
SHA256 23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a
Tags
matiex collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a

Threat Level: Known bad

The file 23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a was found to be: Known bad.

Malicious Activity Summary

matiex collection keylogger stealer

Matiex Main Payload

Matiex

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-20 02:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 02:58

Reported

2022-04-20 03:16

Platform

win7-20220414-en

Max time kernel

141s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 2036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 2036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 2036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 952 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 952 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 952 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 952 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1256 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1256 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1256 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1256 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1256 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1256 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1256 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1256 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 1256 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe
PID 568 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

memory/1668-55-0x0000000000000000-mapping.dmp

memory/2036-56-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1268-57-0x0000000000000000-mapping.dmp

memory/860-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml

MD5 ffb76264697abd63336aaca3b388a942
SHA1 9488da856e01c993fe9f85daa45292f71d5c1dd4
SHA256 45cc5439202830bfa6d966bb907714a9da40bc259470ffb5da8842f39083e54a
SHA512 03d394f92d5cf18071151c793088f2b495381fe93d152ad19b5eee3c8507bd1257751dc58fa889ab8035aa5bfe5b85f8b6f2ef02813b6d0b1d2553f12ffca582

memory/952-60-0x0000000000000000-mapping.dmp

memory/1624-62-0x0000000000000000-mapping.dmp

memory/952-63-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1596-64-0x0000000000000000-mapping.dmp

memory/320-66-0x0000000000000000-mapping.dmp

memory/1596-67-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1256-68-0x0000000000000000-mapping.dmp

memory/1348-70-0x0000000000000000-mapping.dmp

memory/1256-71-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/568-72-0x0000000000000000-mapping.dmp

memory/580-74-0x0000000000000000-mapping.dmp

memory/568-75-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1724-76-0x0000000000000000-mapping.dmp

memory/1740-78-0x0000000000000000-mapping.dmp

memory/1724-79-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1472-80-0x0000000000000000-mapping.dmp

memory/1532-82-0x0000000000000000-mapping.dmp

memory/1472-83-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1488-84-0x0000000000000000-mapping.dmp

memory/1652-86-0x0000000000000000-mapping.dmp

memory/1488-87-0x0000000000B10000-0x0000000000B3C000-memory.dmp

memory/1672-88-0x0000000000000000-mapping.dmp

memory/1116-90-0x0000000000000000-mapping.dmp

memory/1672-91-0x0000000000B10000-0x0000000000B3C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 02:58

Reported

2022-04-20 03:16

Platform

win10v2004-20220414-en

Max time kernel

127s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

Signatures

Matiex

stealer keylogger matiex

Matiex Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 456 set thread context of 996 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 456 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 456 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 456 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 456 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe

"C:\Users\Admin\AppData\Local\Temp\23a7c274f2cc0869be588d6ab18edda7b6e6092a80d62c5c782b4f7d6a2a747a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 996 -ip 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 2100

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.0:443 freegeoip.app tcp
US 20.189.173.13:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 95.101.78.209:80 tcp

Files

memory/4432-130-0x0000000000000000-mapping.dmp

memory/456-131-0x00000000008B0000-0x00000000008DC000-memory.dmp

memory/4380-132-0x0000000000000000-mapping.dmp

memory/3976-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\039462f71f604c9aaf15be88cc879815.xml

MD5 57e80c1cd83971b009db6462dec561e8
SHA1 9890fc3fc7b93bb9dce0c624486307cff2a26927
SHA256 e6cb647c0aee80cbac58f101ba47620657c8cd58f9a0aa91c6f8a4466e4ebc6f
SHA512 acc99eb56c615f669ef933c34ae86a1ba41a5ea5108a211de14107293d0bea7eb45e317bdb9b833b1262a1022fa4aa4462f4f3c6a19fa9481320dbb75ee41dd6

memory/996-135-0x0000000000000000-mapping.dmp

memory/996-136-0x0000000000400000-0x0000000000476000-memory.dmp

memory/996-137-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

memory/996-138-0x0000000004F70000-0x0000000004FD6000-memory.dmp

memory/996-139-0x0000000006420000-0x00000000069C4000-memory.dmp