matiex | f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef

General

Target

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
Size

995KB
MD5

05a8fd3356cef3603e257335d54b1804
SHA1

beea500b48ec4702359a2c7973fb0d29aecead28
SHA256

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef
SHA512

4b4885209ec3b1d7dbcf6618cbbadd35eeede391cbd08fc0792166632fe320d8e9632437a85613c008703f700b41abeb18a575136c68a72cd3b56bce8b279870

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

C2

https://api.telegram.org/bot1329208090:AAED2kwCe6Uq4WmAg--eYiyQfDEc5qPX0D4/sendMessage?chat_id=1299117268

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1996-141-0x0000000000400000-0x0000000000472000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 checkip.dyndns.org

flow	ioc
34	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

description	pid	process	target process
PID 3504 set thread context of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4408 schtasks.exe

pid	process
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

pid	process
3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exef4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

description	pid	process
Token: SeDebugPrivilege	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
Token: SeDebugPrivilege	1996	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
"C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EvvUebihf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CC8.tmp"
2⤵
- Creates scheduled task(s)
PID:4408

C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
"C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe"
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
"C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe"
2⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
"C:\Users\Admin\AppData\Local\Temp\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe.log
Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CC8.tmp
Filesize
1KB

MD5
814c12f4edda49bf412541e68af10116

SHA1
8b83022059f904b764edb96923df6d0496999649

SHA256
9b5582dc76af3d2b4893bbd8d179fa19be073d66d2699efbf74f6ae6046f887a

SHA512
d7e4ab6a6659e4a0043394b27e5ee6594280e4e5017a161b185cdd63634a94c6b5f1b36aab44fc650fb2d4713c038a7685691ee20c4b5594a20a9a1d05c82dee

Download Submit
memory/1996-143-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/1996-141-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1996-140-0x0000000000000000-mapping.dmp

Download
memory/2232-138-0x0000000000000000-mapping.dmp

Download
memory/3448-139-0x0000000000000000-mapping.dmp

Download
memory/3504-133-0x00000000071A0000-0x0000000007232000-memory.dmp

Filesize
584KB

Download
memory/3504-135-0x00000000073F0000-0x0000000007446000-memory.dmp

Filesize
344KB

Download
memory/3504-134-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/3504-130-0x0000000000160000-0x000000000025E000-memory.dmp

Filesize
1016KB

Download
memory/3504-132-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/3504-131-0x0000000007100000-0x000000000719C000-memory.dmp

Filesize
624KB

Download
memory/4408-136-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3504 wrote to memory of 4408	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	schtasks.exe
PID 3504 wrote to memory of 4408	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	schtasks.exe
PID 3504 wrote to memory of 4408	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	schtasks.exe
PID 3504 wrote to memory of 2232	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 2232	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 2232	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 3448	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 3448	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 3448	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe
PID 3504 wrote to memory of 1996	3504	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe	f4b29519255e0d839cac6027463fc12016f0f94faa2c201901f516489ec9a0ef.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads