matiex | 36b528e4f6149823bcc3309fe9a95334ea98c14037dfe95dd1d68b506eb4962e

General

Target

Quotation #257&439.exe
Size

330KB
MD5

78ecb4ae45b1ac19a3f0295811eacea0
SHA1

3fae2cdcbfa40c6937be2b84e4f0044c9efcacc6
SHA256

f8113167cfaf623d5c08b33685577743fb96bd3daca2cd915d8b3efe81ad3a8b
SHA512

dea32cc4e7515b271a5ba8094a955577ab3f0f115654afa70e984da104a2061e3016c847952b3a8a57d363b919a61f1a39a2945dab5da9008283bcb1a2f18a8b

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
welcome@100

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-138-0x0000000000400000-0x0000000000474000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation #257&439.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Quotation #257&439.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 checkip.dyndns.org
41 freegeoip.app
42 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation #257&439.exe

description pid process target process

PID 3128 set thread context of 1492 3128 Quotation #257&439.exe Quotation #257&439.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1848 1492 WerFault.exe Quotation #257&439.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Quotation #257&439.exe

pid process

3128 Quotation #257&439.exe
3128 Quotation #257&439.exe
3128 Quotation #257&439.exe
3128 Quotation #257&439.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Quotation #257&439.exe

pid process

1492 Quotation #257&439.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation #257&439.exeQuotation #257&439.exe

description pid process

Token: SeDebugPrivilege 3128 Quotation #257&439.exe
Token: SeDebugPrivilege 1492 Quotation #257&439.exe

flow	ioc
39	checkip.dyndns.org
41	freegeoip.app
42	freegeoip.app

description	pid	process	target process
PID 3128 set thread context of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe

pid	pid_target	process	target process
1848	1492	WerFault.exe	Quotation #257&439.exe

pid	process
5008	schtasks.exe

pid	process
3128	Quotation #257&439.exe
3128	Quotation #257&439.exe
3128	Quotation #257&439.exe
3128	Quotation #257&439.exe

pid	process
1492	Quotation #257&439.exe

description	pid	process
Token: SeDebugPrivilege	3128	Quotation #257&439.exe
Token: SeDebugPrivilege	1492	Quotation #257&439.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Quotation #257&439.exe

description	pid	process	target process
PID 3128 wrote to memory of 5008	3128	Quotation #257&439.exe	schtasks.exe
PID 3128 wrote to memory of 5008	3128	Quotation #257&439.exe	schtasks.exe
PID 3128 wrote to memory of 5008	3128	Quotation #257&439.exe	schtasks.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe
PID 3128 wrote to memory of 1492	3128	Quotation #257&439.exe	Quotation #257&439.exe

C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HjFLPuWSHUVJV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\Quotation #257&439.exe
  "{path}"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 2012
    3⤵
    - Program crash
    PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1492 -ip 1492
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation #257&439.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp

Filesize
1KB

MD5
a6a77d0f7a40844203987eee02084370

SHA1
38e6500ebf749723859ef07445d709da285cda95

SHA256
43d3e2049485648a87ef8f64447b7d5a6d8111f3204a75fea0652517c382afe2

SHA512
b6db6942f995c864b2c8c9824d67ec4ea1a7012013e6582821d09ea4bc63ceda936562dd068816a3cef99361c47f637634c63d0de00768c6d4b0f6e5b22fad7a

Download Submit
memory/1492-137-0x0000000000000000-mapping.dmp

Download
memory/1492-138-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1492-140-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/3128-130-0x0000000000430000-0x0000000000488000-memory.dmp

Filesize
352KB

Download
memory/3128-131-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/3128-132-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/3128-133-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/3128-134-0x0000000008750000-0x00000000087EC000-memory.dmp

Filesize
624KB

Download
memory/5008-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads