Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:15
General
-
Target
Payment receipt.exe
-
Size
671KB
-
MD5
0343e00e87bd5dd10cbef80152e17f2d
-
SHA1
8729e1834549808a2aeff2282389d6824848214e
-
SHA256
301994867e5c9fc93d3245e9736f95e9939af96d0a60d7b01ab22d50f6bf40d0
-
SHA512
7ff6bf2e3e1a0ae831470852e3bf2ed1fe05eabb0c33441b80cec957574eec2085a18f133199b730ae04fc636b322556e8f352199b5c615108df5e28d6e9df2a
Score
10/10
Malware Config
Extracted
Family
matiex
Credentials
Protocol: smtp- Host:
SMTP.privateemail.com - Port:
587 - Username:
mentorloz@returntolz.com - Password:
Aboki@1234
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main Payload 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 17243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2708 -ip 27081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2484-131-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2708-130-0x0000000000000000-mapping.dmp
-
memory/2708-132-0x0000000000A80000-0x0000000000AF0000-memory.dmpFilesize
448KB
-
memory/2708-133-0x0000000000A80000-0x0000000000AF0000-memory.dmpFilesize
448KB
-
memory/2708-134-0x0000000004AE0000-0x0000000004B7C000-memory.dmpFilesize
624KB
-
memory/2708-135-0x0000000004B80000-0x0000000005124000-memory.dmpFilesize
5.6MB
-
memory/2708-136-0x0000000005130000-0x0000000005196000-memory.dmpFilesize
408KB
-
memory/2708-137-0x0000000005F70000-0x0000000006132000-memory.dmpFilesize
1.8MB