Overview

overview

10

Static

static

Payment receipt.exe

windows7_x64

10

Payment receipt.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment receipt.exe

  • Size

    4.9MB

  • MD5

    21ce722319d2e436a23302c488c8e474

  • SHA1

    8926922f8a66a95200513918c5370b3bef143be9

  • SHA256

    c9e3b73cd0bfb2a80b1ac9b3e45272975bdac5ed76ac3f9a5a2e963d82370cca

  • SHA512

    2fe3408605227f45b4cd11e2eb502aa9806665433c3144c93c0c2ef4580de9d755602f232d83c111b9d7e5399c8f080743abda332a77ae107842bac1910df0d7

Score
10/10
matiexcollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    SMTP.privateemail.com
  • Port:
    587
  • Username:
    mentorloz@returntolz.com
  • Password:
    Aboki@1234

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
    • C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment receipt.exe.log
    Filesize

    617B

    MD5

    99e770c0d4043aa84ef3d3cbc7723c25

    SHA1

    19829c5c413fccba750a3357f938dfa94486acad

    SHA256

    33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

    SHA512

    ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

    Download Submit
  • memory/452-155-0x0000000006FC0000-0x0000000006FCA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/452-154-0x0000000006FE0000-0x0000000007072000-memory.dmp
    Filesize

    584KB

    Download
  • memory/452-153-0x0000000007110000-0x00000000072D2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/452-151-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/452-150-0x0000000000000000-mapping.dmp
    Download
  • memory/2240-130-0x0000000000900000-0x0000000000DF8000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2240-131-0x00000000057C0000-0x000000000585C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2240-132-0x0000000005F40000-0x00000000064E4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/5108-141-0x00000000703D0000-0x000000007041C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/5108-148-0x00000000079B0000-0x00000000079CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/5108-142-0x0000000006920000-0x000000000693E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/5108-139-0x0000000006370000-0x000000000638E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/5108-144-0x0000000007660000-0x000000000767A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/5108-143-0x0000000007D10000-0x000000000838A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/5108-145-0x00000000076E0000-0x00000000076EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5108-146-0x00000000078F0000-0x0000000007986000-memory.dmp
    Filesize

    600KB

    Download
  • memory/5108-147-0x00000000078A0000-0x00000000078AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/5108-140-0x0000000006940000-0x0000000006972000-memory.dmp
    Filesize

    200KB

    Download
  • memory/5108-149-0x0000000007990000-0x0000000007998000-memory.dmp
    Filesize

    32KB

    Download
  • memory/5108-138-0x0000000005D70000-0x0000000005DD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5108-137-0x0000000005C90000-0x0000000005CF6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5108-136-0x0000000005AF0000-0x0000000005B12000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5108-135-0x00000000054C0000-0x0000000005AE8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/5108-134-0x0000000004D90000-0x0000000004DC6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/5108-133-0x0000000000000000-mapping.dmp
    Download