matiex | e3c1114b2db69d8480751fbaac9a517a3d7d4e5cd4d2175771968f9bdd778c42

General

Target

0908000090000.exe
Size

3.4MB
MD5

2b16401ac7e40343abde78deb36f0746
SHA1

6c441249071a590f6a1178cc276f87f8641c8cf4
SHA256

315e6e844a325bdbdbd68365d389adb3e31c55cf7323936f14f3e48f7e5f3014
SHA512

3ec8ac63db7b07b9a43b37f27cc80da7543baab0c259e25de2e92cc058427b385d4dc6aa91fc12cdd3b1d6d40c20df1a5c7731ec750a91770f98631c1840a9b8

Score

10^/10

matiex collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
[email protected]
Password:
italik2015

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-59-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1660-60-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1660-62-0x000000000047023E-mapping.dmp	family_matiex
behavioral1/memory/1660-64-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1660-61-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/1660-66-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0908000090000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0908000090000.exe\""	0908000090000.exe

Drops startup file 2 IoCs

Processes:

0908000090000.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0908000090000.exe	0908000090000.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0908000090000.exe	0908000090000.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

0908000090000.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0908000090000.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0908000090000.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0908000090000.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0908000090000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0908000090000.exe"	0908000090000.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\0908000090000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0908000090000.exe"	0908000090000.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

0908000090000.exe

description pid process target process

PID 1668 set thread context of 1660 1668 0908000090000.exe 0908000090000.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

652 1660 WerFault.exe 0908000090000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0908000090000.exe

description pid process

Token: SeDebugPrivilege 1660 0908000090000.exe

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

description	pid	process	target process
PID 1668 set thread context of 1660	1668	0908000090000.exe	0908000090000.exe

pid	pid_target	process	target process
652	1660	WerFault.exe	0908000090000.exe

description	pid	process
Token: SeDebugPrivilege	1660	0908000090000.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0908000090000.exe0908000090000.exe

description	pid	process	target process
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1668 wrote to memory of 1660	1668	0908000090000.exe	0908000090000.exe
PID 1660 wrote to memory of 652	1660	0908000090000.exe	WerFault.exe
PID 1660 wrote to memory of 652	1660	0908000090000.exe	WerFault.exe
PID 1660 wrote to memory of 652	1660	0908000090000.exe	WerFault.exe
PID 1660 wrote to memory of 652	1660	0908000090000.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

0908000090000.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0908000090000.exe

outlook_win_path 1 IoCs

Processes:

0908000090000.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0908000090000.exe

C:\Users\Admin\AppData\Local\Temp\0908000090000.exe
"C:\Users\Admin\AppData\Local\Temp\0908000090000.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\0908000090000.exe
  "C:\Users\Admin\AppData\Local\Temp\0908000090000.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1780
    3⤵
    - Program crash
    PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-68-0x0000000000000000-mapping.dmp

Download
memory/1660-56-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-57-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-59-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-62-0x000000000047023E-mapping.dmp

Download
memory/1660-64-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-61-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-66-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1660-67-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1668-54-0x0000000001270000-0x00000000015DE000-memory.dmp

Filesize
3.4MB

Download
memory/1668-55-0x0000000000BF0000-0x0000000000C72000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads