matiex | 74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

General

Target

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
Size

598KB
MD5

4f4f40bd30268357f26125e00fa13983
SHA1

230c64413c230a86db04197100daee8cd492e85c
SHA256

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad
SHA512

ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Score

10^/10

matiex collection keylogger persistence stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.vizvec.com
Port:
26
Username:
[email protected]
Password:
Domain123@

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/804-147-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\qip.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

qip.exe

pid process

924 qip.exe

pid	process
924	qip.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exeqip.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	qip.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 checkip.dyndns.org
71 freegeoip.app
72 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

qip.exe

description pid process target process

PID 924 set thread context of 804 924 qip.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1096 804 WerFault.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exeqip.exe

pid process

4588 74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
924 qip.exe

flow	ioc
69	checkip.dyndns.org
71	freegeoip.app
72	freegeoip.app

description	pid	process	target process
PID 924 set thread context of 804	924	qip.exe	AppLaunch.exe

pid	pid_target	process	target process
1096	804	WerFault.exe	AppLaunch.exe

pid	process
4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
924	qip.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exeqip.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
Token: SeDebugPrivilege	924	qip.exe
Token: SeDebugPrivilege	804	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.execmd.exeqip.execmd.exe

description	pid	process	target process
PID 4588 wrote to memory of 3184	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 4588 wrote to memory of 3184	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 4588 wrote to memory of 3184	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 4588 wrote to memory of 2124	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 4588 wrote to memory of 2124	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 4588 wrote to memory of 2124	4588	74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe	cmd.exe
PID 2124 wrote to memory of 924	2124	cmd.exe	qip.exe
PID 2124 wrote to memory of 924	2124	cmd.exe	qip.exe
PID 2124 wrote to memory of 924	2124	cmd.exe	qip.exe
PID 924 wrote to memory of 3208	924	qip.exe	cmd.exe
PID 924 wrote to memory of 3208	924	qip.exe	cmd.exe
PID 924 wrote to memory of 3208	924	qip.exe	cmd.exe
PID 3208 wrote to memory of 4544	3208	cmd.exe	reg.exe
PID 3208 wrote to memory of 4544	3208	cmd.exe	reg.exe
PID 3208 wrote to memory of 4544	3208	cmd.exe	reg.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe
PID 924 wrote to memory of 804	924	qip.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
"C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe" "C:\Users\Admin\AppData\Roaming\qip.exe"
  2⤵
  PID:3184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\qip.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\qip.exe
    "C:\Users\Admin\AppData\Roaming\qip.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1988
        5⤵
        Program crash
        
        PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 804 -ip 804
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qip.exe

Filesize
598KB

MD5
4f4f40bd30268357f26125e00fa13983

SHA1
230c64413c230a86db04197100daee8cd492e85c

SHA256
74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

SHA512
ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Download Submit
C:\Users\Admin\AppData\Roaming\qip.exe

Filesize
598KB

MD5
4f4f40bd30268357f26125e00fa13983

SHA1
230c64413c230a86db04197100daee8cd492e85c

SHA256
74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

SHA512
ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Download Submit
memory/804-147-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/804-146-0x0000000000000000-mapping.dmp

Download
memory/924-145-0x0000000009DD0000-0x0000000009DF2000-memory.dmp

Filesize
136KB

Download
memory/924-140-0x0000000000000000-mapping.dmp

Download
memory/2124-139-0x0000000000000000-mapping.dmp

Download
memory/3184-138-0x0000000000000000-mapping.dmp

Download
memory/3208-143-0x0000000000000000-mapping.dmp

Download
memory/4544-144-0x0000000000000000-mapping.dmp

Download
memory/4588-130-0x0000000000510000-0x00000000005AC000-memory.dmp

Filesize
624KB

Download
memory/4588-137-0x0000000008E50000-0x0000000008E72000-memory.dmp

Filesize
136KB

Download
memory/4588-136-0x00000000095C0000-0x0000000009AEC000-memory.dmp

Filesize
5.2MB

Download
memory/4588-135-0x0000000008EC0000-0x0000000009082000-memory.dmp

Filesize
1.8MB

Download
memory/4588-134-0x00000000083A0000-0x0000000008406000-memory.dmp

Filesize
408KB

Download
memory/4588-133-0x0000000007F30000-0x0000000007FC2000-memory.dmp

Filesize
584KB

Download
memory/4588-132-0x0000000008440000-0x00000000089E4000-memory.dmp

Filesize
5.6MB

Download
memory/4588-131-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads