matiex | 74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

General

Target

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
Size

598KB
MD5

4f4f40bd30268357f26125e00fa13983
SHA1

230c64413c230a86db04197100daee8cd492e85c
SHA256

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad
SHA512

ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Score

10^/10

matiex collection keylogger persistence stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.vizvec.com
Port:
26
Username:
[email protected]
Password:
Domain123@

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1300-73-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1300-74-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1300-75-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex
behavioral1/memory/1300-76-0x000000000046F04E-mapping.dmp	family_matiex

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\qip.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

qip.exe

pid process

1016 qip.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

540 cmd.exe

pid	process
1016	qip.exe

pid	process
540	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

qip.exe

description pid process target process

PID 1016 set thread context of 1300 1016 qip.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1636 1300 WerFault.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exeqip.exe

pid process

1676 74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
1016 qip.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1016 set thread context of 1300	1016	qip.exe	AppLaunch.exe

pid	pid_target	process	target process
1636	1300	WerFault.exe	AppLaunch.exe

pid	process
1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
1016	qip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exeqip.exe

description	pid	process
Token: SeDebugPrivilege	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
Token: SeDebugPrivilege	1016	qip.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.execmd.exeqip.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1516	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 1516	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 1516	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 1516	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 540	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 540	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 540	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 1676 wrote to memory of 540	1676	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 540 wrote to memory of 1016	540	cmd.exe	qip.exe
PID 540 wrote to memory of 1016	540	cmd.exe	qip.exe
PID 540 wrote to memory of 1016	540	cmd.exe	qip.exe
PID 540 wrote to memory of 1016	540	cmd.exe	qip.exe
PID 1016 wrote to memory of 888	1016	qip.exe	cmd.exe
PID 1016 wrote to memory of 888	1016	qip.exe	cmd.exe
PID 1016 wrote to memory of 888	1016	qip.exe	cmd.exe
PID 1016 wrote to memory of 888	1016	qip.exe	cmd.exe
PID 888 wrote to memory of 992	888	cmd.exe	reg.exe
PID 888 wrote to memory of 992	888	cmd.exe	reg.exe
PID 888 wrote to memory of 992	888	cmd.exe	reg.exe
PID 888 wrote to memory of 992	888	cmd.exe	reg.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe
PID 1016 wrote to memory of 1300	1016	qip.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
"C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe" "C:\Users\Admin\AppData\Roaming\qip.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\qip.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Roaming\qip.exe
    "C:\Users\Admin\AppData\Roaming\qip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1324
        5⤵
        Program crash
        
        PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qip.exe

Filesize
598KB

MD5
4f4f40bd30268357f26125e00fa13983

SHA1
230c64413c230a86db04197100daee8cd492e85c

SHA256
74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

SHA512
ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Download Submit
C:\Users\Admin\AppData\Roaming\qip.exe

Filesize
598KB

MD5
4f4f40bd30268357f26125e00fa13983

SHA1
230c64413c230a86db04197100daee8cd492e85c

SHA256
74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

SHA512
ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Download Submit
\Users\Admin\AppData\Roaming\qip.exe

Filesize
598KB

MD5
4f4f40bd30268357f26125e00fa13983

SHA1
230c64413c230a86db04197100daee8cd492e85c

SHA256
74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

SHA512
ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Download Submit
memory/540-60-0x0000000000000000-mapping.dmp

Download
memory/888-67-0x0000000000000000-mapping.dmp

Download
memory/992-68-0x0000000000000000-mapping.dmp

Download
memory/1016-63-0x0000000000000000-mapping.dmp

Download
memory/1016-69-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download
memory/1016-65-0x0000000000130000-0x00000000001CC000-memory.dmp

Filesize
624KB

Download
memory/1300-70-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1300-71-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1300-73-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1300-74-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1300-75-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1300-76-0x000000000046F04E-mapping.dmp

Download
memory/1516-59-0x0000000000000000-mapping.dmp

Download
memory/1676-58-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1676-57-0x0000000000630000-0x0000000000654000-memory.dmp

Filesize
144KB

Download
memory/1676-56-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/1676-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1676-54-0x0000000000B30000-0x0000000000BCC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads