Overview

overview

10

Static

static

74e84e3c4b...ad.exe

windows7_x64

10

74e84e3c4b...ad.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe

  • Size

    598KB

  • MD5

    4f4f40bd30268357f26125e00fa13983

  • SHA1

    230c64413c230a86db04197100daee8cd492e85c

  • SHA256

    74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

  • SHA512

    ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

Score
10/10
matiexcollectionkeyloggerpersistencestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    mail.vizvec.com
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    Domain123@

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe
    "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad.exe" "C:\Users\Admin\AppData\Roaming\qip.exe"
      2⤵
        PID:3184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\qip.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Users\Admin\AppData\Roaming\qip.exe
          "C:\Users\Admin\AppData\Roaming\qip.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3208
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\qip.exe,"
              5⤵
              • Modifies WinLogon for persistence
              PID:4544
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1988
              5⤵
              • Program crash
              PID:1096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 804 -ip 804
      1⤵
        PID:3912

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\qip.exe
        Filesize

        598KB

        MD5

        4f4f40bd30268357f26125e00fa13983

        SHA1

        230c64413c230a86db04197100daee8cd492e85c

        SHA256

        74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

        SHA512

        ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\qip.exe
        Filesize

        598KB

        MD5

        4f4f40bd30268357f26125e00fa13983

        SHA1

        230c64413c230a86db04197100daee8cd492e85c

        SHA256

        74e84e3c4b722fc24d404ff538e64b7d3f686fd162080f2bddd7af51d71b5bad

        SHA512

        ecd1105038b353b3a47de0e5c856939ea2284825aa9c0179c666b850addfc09c4297d3d130b7d618b2d2506558b617f0f4f7a02c6768491819dbe68cee0a641f

        Download Submit
      • memory/804-147-0x0000000000400000-0x0000000000474000-memory.dmp
        Filesize

        464KB

        Download
      • memory/804-146-0x0000000000000000-mapping.dmp
        Download
      • memory/924-145-0x0000000009DD0000-0x0000000009DF2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/924-140-0x0000000000000000-mapping.dmp
        Download
      • memory/2124-139-0x0000000000000000-mapping.dmp
        Download
      • memory/3184-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3208-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4588-130-0x0000000000510000-0x00000000005AC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4588-137-0x0000000008E50000-0x0000000008E72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4588-136-0x00000000095C0000-0x0000000009AEC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4588-135-0x0000000008EC0000-0x0000000009082000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4588-134-0x00000000083A0000-0x0000000008406000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4588-133-0x0000000007F30000-0x0000000007FC2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4588-132-0x0000000008440000-0x00000000089E4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4588-131-0x0000000004F20000-0x0000000004FBC000-memory.dmp
        Filesize

        624KB

        Download