Overview

overview

10

Static

static

74e84e3c4b...ad.exe

windows7_x64

10

74e84e3c4b...ad.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-05-2022 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe

  • Size

    598KB

  • MD5

    4f4f40bd30268357f26125e00fa13983

  • SHA1

    230c64413c230a86db04197100daee8cd492e85c

  • SHA256

    74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

  • SHA512

    ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Score
10/10
matiexcollectionkeyloggerpersistencestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    mail.vizvec.com
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    Domain123@

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
    "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe" "C:\Users\Admin\AppData\Roaming\qip.exe"
      2⤵
        PID:1516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\qip.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Users\Admin\AppData\Roaming\qip.exe
          "C:\Users\Admin\AppData\Roaming\qip.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:888
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
              5⤵
              • Modifies WinLogon for persistence
              PID:992
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • outlook_office_path
            • outlook_win_path
            PID:1300
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1324
              5⤵
              • Program crash
              PID:1636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\qip.exe
      Filesize

      598KB

      MD5

      4f4f40bd30268357f26125e00fa13983

      SHA1

      230c64413c230a86db04197100daee8cd492e85c

      SHA256

      74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

      SHA512

      ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\qip.exe
      Filesize

      598KB

      MD5

      4f4f40bd30268357f26125e00fa13983

      SHA1

      230c64413c230a86db04197100daee8cd492e85c

      SHA256

      74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

      SHA512

      ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

      Download Submit
    • \Users\Admin\AppData\Roaming\qip.exe
      Filesize

      598KB

      MD5

      4f4f40bd30268357f26125e00fa13983

      SHA1

      230c64413c230a86db04197100daee8cd492e85c

      SHA256

      74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

      SHA512

      ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

      Download Submit
    • memory/540-60-0x0000000000000000-mapping.dmp
      Download
    • memory/888-67-0x0000000000000000-mapping.dmp
      Download
    • memory/992-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-69-0x00000000021B0000-0x00000000021C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1016-65-0x0000000000130000-0x00000000001CC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1300-70-0x0000000000400000-0x0000000000474000-memory.dmp
      Filesize

      464KB

      Download
    • memory/1300-71-0x0000000000400000-0x0000000000474000-memory.dmp
      Filesize

      464KB

      Download
    • memory/1300-73-0x0000000000400000-0x0000000000474000-memory.dmp
      Filesize

      464KB

      Download
    • memory/1300-74-0x0000000000400000-0x0000000000474000-memory.dmp
      Filesize

      464KB

      Download
    • memory/1300-75-0x0000000000400000-0x0000000000474000-memory.dmp
      Filesize

      464KB

      Download
    • memory/1300-76-0x000000000046F04E-mapping.dmp
      Download
    • memory/1516-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1676-58-0x0000000000650000-0x000000000065C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1676-57-0x0000000000630000-0x0000000000654000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1676-56-0x00000000002D0000-0x00000000002F0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1676-55-0x0000000075761000-0x0000000075763000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1676-54-0x0000000000B30000-0x0000000000BCC000-memory.dmp
      Filesize

      624KB

      Download