Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10-2004_x64

10

new PO.exe

windows7_x64

3

new PO.exe

windows10-2004_x64

3

req.exe

windows7_x64

3

req.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    145s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.exe

  • Size

    1.6MB

  • MD5

    e34037661a1608c722e5264797b2eecf

  • SHA1

    2c02034a6d91d9e2b21504a4bec82ec36d7bdd5d

  • SHA256

    fc1ca8b0fe8eab2d98c0f0e7ad37108f836fff77b50e393cf5dee61b7e4e6eb0

  • SHA512

    4fec9aa1afe6a414a18998dd2bb867599330baef5fce02f553823f372b7d81a4006287daefc96a8fa197fe579989ec49d1c73c5034d1c48317e3f4d70e5d44df

Score
10/10
matiexcollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    mail.indiaflanges.com
  • Port:
    587
  • Username:
    mum@indiaflanges.com
  • Password:
    indflng&#%321

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
    • C:\Users\Admin\AppData\Local\Temp\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\PO.exe"
      2⤵
        PID:1172
      • C:\Users\Admin\AppData\Local\Temp\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:5080
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1712
          3⤵
          • Program crash
          PID:648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5080 -ip 5080
      1⤵
        PID:3392

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log
        Filesize

        1KB

        MD5

        5e0481f7489586ad6ae78d35e8458859

        SHA1

        626e76ef7c85ea8ac9a73cfb13fbf450a4dfd26d

        SHA256

        d2ebbffea1f8401bcbe56591b9e566fd40a55463464ebf30f24c4be8fd2716ec

        SHA512

        b15301044d3862c07cbe72114c7b9792a2d345312236bac51831a6a6bf4a77acbc047b3dff030cff706d5de194679ee33e283b9c9c38c4e7785a653cc4674b36

        Download Submit
      • memory/1172-150-0x0000000000000000-mapping.dmp
        Download
      • memory/2164-130-0x0000000000590000-0x000000000072E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2164-131-0x0000000005090000-0x000000000512C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2164-132-0x00000000057A0000-0x0000000005D44000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3892-142-0x00000000063A0000-0x00000000063BE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3892-144-0x00000000070E0000-0x00000000070FA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3892-137-0x0000000005660000-0x00000000056C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3892-138-0x0000000005740000-0x00000000057A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3892-139-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3892-140-0x0000000006D90000-0x0000000006DC2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3892-141-0x00000000704F0000-0x000000007053C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3892-135-0x0000000004EC0000-0x00000000054E8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3892-143-0x0000000007720000-0x0000000007D9A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3892-136-0x0000000004DC0000-0x0000000004DE2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3892-145-0x0000000007150000-0x000000000715A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3892-146-0x0000000007360000-0x00000000073F6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3892-147-0x0000000007310000-0x000000000731E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3892-148-0x0000000007420000-0x000000000743A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3892-149-0x0000000007400000-0x0000000007408000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3892-134-0x00000000024A0000-0x00000000024D6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3892-133-0x0000000000000000-mapping.dmp
        Download
      • memory/5080-152-0x0000000000400000-0x0000000000470000-memory.dmp
        Filesize

        448KB

        Download
      • memory/5080-151-0x0000000000000000-mapping.dmp
        Download
      • memory/5080-154-0x0000000006890000-0x0000000006A52000-memory.dmp
        Filesize

        1.8MB

        Download