matiex | 2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334

General

Target

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
Size

1.1MB
MD5

ef749ac5b73c61943d9447890bcb1ca6
SHA1

cf2336e5a6d51ee51c443c758c4dc1ce833dee85
SHA256

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334
SHA512

ecaccbc11f257e81c4261b1397162b9ab6374eba2f1503183a554c6b71b1aa0cc56d948850fba234d9eafa981a2b27ac75e0eb157be720e9b0ec1cdab44f130e

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
mail.gschofield.com
Port:
587
Username:
gschofield@gschofield.com
Password:
gaston1955
Email To:
managerjames001@outlook.com

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2044-139-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 checkip.dyndns.org

flow	ioc
34	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

description	pid	process	target process
PID 968 set thread context of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4116 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

description pid process

Token: SeDebugPrivilege 2044 2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

pid	process
4116	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2044	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

description	pid	process	target process
PID 968 wrote to memory of 4116	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	schtasks.exe
PID 968 wrote to memory of 4116	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	schtasks.exe
PID 968 wrote to memory of 4116	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	schtasks.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
PID 968 wrote to memory of 2044	968	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe	2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe

C:\Users\Admin\AppData\Local\Temp\2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
"C:\Users\Admin\AppData\Local\Temp\2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvIsqP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EE.tmp"
2⤵
- Creates scheduled task(s)
PID:4116

C:\Users\Admin\AppData\Local\Temp\2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe
"C:\Users\Admin\AppData\Local\Temp\2d6bdc4526934ff8ba05addc48061c18b6b4153f0d164f3a9fc88bcb63957334.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9EE.tmp
Filesize
1KB

MD5
8e58de273b5bc03e2236bd7ca519f396

SHA1
86c3df481b2565a011dd6cee79f377dfff4fa199

SHA256
0181513a460d178c4d89bd8cb5a8f45e274f5b1ba6575ddc92492a3da54ef40e

SHA512
9ecca7732a76a3fb910143afde19c4c9e578c31b74b67614c90eebd105bbf4060825603a3f5b8f089fc5156cdd90570d4d85373ffd5abd755576fdedf23dda22

Download Submit
memory/968-130-0x00000000001E0000-0x0000000000306000-memory.dmp

Filesize
1.1MB

Download
memory/968-131-0x0000000004C70000-0x0000000004D0C000-memory.dmp

Filesize
624KB

Download
memory/968-132-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/968-133-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/968-134-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/968-135-0x0000000004FE0000-0x0000000005036000-memory.dmp

Filesize
344KB

Download
memory/2044-138-0x0000000000000000-mapping.dmp

Download
memory/2044-139-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2044-140-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/4116-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads