Analysis Overview
SHA256
7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7
Threat Level: Known bad
The file 7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7 was found to be: Known bad.
Malicious Activity Summary
Matiex Main Payload
Matiex
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Program crash
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-02 11:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-02 11:10
Reported
2022-05-02 11:13
Platform
win7-20220414-en
Max time kernel
146s
Max time network
45s
Command Line
Signatures
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
Files
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp
memory/1208-55-0x0000000000000000-mapping.dmp
memory/1920-56-0x000000000042D000-0x0000000000430000-memory.dmp
memory/2024-57-0x0000000000000000-mapping.dmp
memory/1120-59-0x0000000000000000-mapping.dmp
memory/2024-60-0x00000000002ED000-0x00000000002F0000-memory.dmp
memory/1768-61-0x0000000000000000-mapping.dmp
memory/1788-63-0x0000000000000000-mapping.dmp
memory/1768-64-0x000000000025D000-0x0000000000260000-memory.dmp
memory/1988-65-0x0000000000000000-mapping.dmp
memory/1616-67-0x0000000000000000-mapping.dmp
memory/1988-68-0x000000000037D000-0x0000000000380000-memory.dmp
memory/380-69-0x0000000000000000-mapping.dmp
memory/1736-71-0x0000000000000000-mapping.dmp
memory/380-72-0x000000000028D000-0x0000000000290000-memory.dmp
memory/1696-73-0x0000000000000000-mapping.dmp
memory/700-75-0x0000000000000000-mapping.dmp
memory/1696-76-0x000000000027D000-0x0000000000280000-memory.dmp
memory/1188-77-0x0000000000000000-mapping.dmp
memory/1044-79-0x0000000000000000-mapping.dmp
memory/1188-80-0x000000000032D000-0x0000000000330000-memory.dmp
memory/936-81-0x0000000000000000-mapping.dmp
memory/1340-83-0x0000000000000000-mapping.dmp
memory/936-84-0x00000000002FD000-0x0000000000300000-memory.dmp
memory/1968-85-0x0000000000000000-mapping.dmp
memory/1932-87-0x0000000000000000-mapping.dmp
memory/1968-88-0x000000000029D000-0x00000000002A0000-memory.dmp
memory/1980-89-0x0000000000000000-mapping.dmp
memory/1996-91-0x0000000000000000-mapping.dmp
memory/1980-92-0x00000000003BD000-0x00000000003C0000-memory.dmp
memory/836-93-0x0000000000000000-mapping.dmp
memory/1516-95-0x0000000000000000-mapping.dmp
memory/836-96-0x00000000002AD000-0x00000000002B0000-memory.dmp
memory/1596-97-0x0000000000000000-mapping.dmp
memory/1784-99-0x0000000000000000-mapping.dmp
memory/1596-100-0x00000000003AD000-0x00000000003B0000-memory.dmp
memory/288-101-0x0000000000000000-mapping.dmp
memory/1296-103-0x0000000000000000-mapping.dmp
memory/288-104-0x00000000002BD000-0x00000000002C0000-memory.dmp
memory/1668-105-0x0000000000000000-mapping.dmp
memory/580-107-0x0000000000000000-mapping.dmp
memory/1668-108-0x000000000032D000-0x0000000000330000-memory.dmp
memory/1912-109-0x0000000000000000-mapping.dmp
memory/1208-111-0x0000000000000000-mapping.dmp
memory/1912-112-0x000000000036D000-0x0000000000370000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-02 11:10
Reported
2022-05-02 11:13
Platform
win10v2004-20220414-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Matiex
Matiex Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4248 set thread context of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4248 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4248 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4248 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4248 wrote to memory of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 4248 wrote to memory of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 4248 wrote to memory of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 4248 wrote to memory of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\DEKONT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 204 -ip 204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1692
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.8:443 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 104.208.16.90:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
Files
memory/3884-130-0x0000000000000000-mapping.dmp
memory/4248-131-0x000000000133D000-0x0000000001340000-memory.dmp
memory/204-132-0x0000000000000000-mapping.dmp
memory/204-133-0x0000000000600000-0x0000000000676000-memory.dmp
memory/204-134-0x0000000004C00000-0x0000000004C9C000-memory.dmp
memory/204-135-0x0000000005250000-0x00000000057F4000-memory.dmp
memory/204-136-0x0000000004D10000-0x0000000004D76000-memory.dmp