matiex | 9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15

General

Target

9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe
Size

600KB
MD5

5799475fff1d04852a9554602b8f77d0
SHA1

031174b3ab416f24e7cae3b1f7f9e0ec6b93e750
SHA256

9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15
SHA512

4d82c1cd5eceaddadbc3a7d5ca68d467de1b06a970842864fab94c965f8cb9ec8d1c70719bbd08f005edc628e20d8b8fbcce8de7afb67bb49907be0fb3d38fbd
SSDEEP

12288:ln/B3hN4SuIZYO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHL:lnB47IZYZlT+lQTD/O3BArRCHL

Score

10^/10

matiex collection keylogger persistence spyware stealer upx

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5028-142-0x0000000000400000-0x000000000048A000-memory.dmp	family_matiex

Executes dropped EXE 2 IoCs

Processes:

uhywaxbj.exeuhywaxbj.exe

pid process

816 uhywaxbj.exe
5028 uhywaxbj.exe

pid	process
816	uhywaxbj.exe
5028	uhywaxbj.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5028-142-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

uhywaxbj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	uhywaxbj.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	uhywaxbj.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	uhywaxbj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uhywaxbj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhbbq = "C:\\Users\\Admin\\AppData\\Roaming\\eayaxcqkdieui\\agvsyjciptyuwl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\uhywaxbj.exe\" \"C:\\Users\\Admin\\A"	uhywaxbj.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org
13 freegeoip.app
14 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

uhywaxbj.exe

description pid process target process

PID 816 set thread context of 5028 816 uhywaxbj.exe uhywaxbj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 5028 WerFault.exe uhywaxbj.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

uhywaxbj.exe

pid process

816 uhywaxbj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uhywaxbj.exe

description pid process

Token: SeDebugPrivilege 5028 uhywaxbj.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

uhywaxbj.exe

pid process

816 uhywaxbj.exe
816 uhywaxbj.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

uhywaxbj.exe

pid process

816 uhywaxbj.exe
816 uhywaxbj.exe

flow	ioc
11	checkip.dyndns.org
13	freegeoip.app
14	freegeoip.app

description	pid	process	target process
PID 816 set thread context of 5028	816	uhywaxbj.exe	uhywaxbj.exe

pid	pid_target	process	target process
1672	5028	WerFault.exe	uhywaxbj.exe

pid	process
816	uhywaxbj.exe

description	pid	process
Token: SeDebugPrivilege	5028	uhywaxbj.exe

pid	process
816	uhywaxbj.exe
816	uhywaxbj.exe

pid	process
816	uhywaxbj.exe
816	uhywaxbj.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exeuhywaxbj.exe

description	pid	process	target process
PID 2496 wrote to memory of 816	2496	9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe	uhywaxbj.exe
PID 2496 wrote to memory of 816	2496	9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe	uhywaxbj.exe
PID 2496 wrote to memory of 816	2496	9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe	uhywaxbj.exe
PID 816 wrote to memory of 5028	816	uhywaxbj.exe	uhywaxbj.exe
PID 816 wrote to memory of 5028	816	uhywaxbj.exe	uhywaxbj.exe
PID 816 wrote to memory of 5028	816	uhywaxbj.exe	uhywaxbj.exe
PID 816 wrote to memory of 5028	816	uhywaxbj.exe	uhywaxbj.exe

outlook_office_path 1 IoCs

Processes:

uhywaxbj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	uhywaxbj.exe

outlook_win_path 1 IoCs

Processes:

uhywaxbj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	uhywaxbj.exe

C:\Users\Admin\AppData\Local\Temp\9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe
"C:\Users\Admin\AppData\Local\Temp\9964f9212756726e0d408494d9f8535d2e8c38698415bc6d51fa65ac6b2e7b15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe
  "C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe" "C:\Users\Admin\AppData\Local\Temp\rdfefswl.au3"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe
    "C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe" "C:\Users\Admin\AppData\Local\Temp\rdfefswl.au3"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:5028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1868
      4⤵
      Program crash
      PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5028 -ip 5028
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rdfefswl.au3

Filesize
10KB

MD5
0a660ce608c97bddf8be78d8abb4c6c6

SHA1
57074e70a55c2dd1a482cad2df57f6ba124c3747

SHA256
35d685e4b892d001f56cda0e38c42e2d53832cdea610528fc124b06fd0064000

SHA512
a2cdea1eb39fbd8330f59f2880bb3a51b958262eae6014c1ac57535db317a892a219ed99cfb1b28a2a913951b4818775dc2806a6219681df54f85632f6256c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhywaxbj.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrhhl.sx

Filesize
124KB

MD5
155e49a6914becbbc3499923a8e9ee53

SHA1
057f9d0a70b237c84f08f07eb5d409408abcb97d

SHA256
bc93935ae0e55f0625f4dce91b68dade3dc1d5a8e2bce3b3a93663aa0b34f965

SHA512
b8179f66f01618d8e90f5fc01d6dc3e78a72234d0564ef19f25a26b4418ce5a1480a2be160bafb7aebbf3dd89f40be9ef1ab284780ff9cf18b201514c799f9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zppzceuup.nlf

Filesize
52KB

MD5
c515c0f8767d458b8da660ed91339d95

SHA1
bcbc4cd3eb796c94c0d4a818d2c3861ead1f2042

SHA256
174bb38d499b11cecf9efbc4a200545e7de7f968a438d660ff540c5c3636921c

SHA512
03d4ee8f56c2add73588a0d9468732ebdec2a94215b3f3b58cba731b433c6bf509e6a5512840fa6eb3eeb61b4882a86a9621e99bbe134810427708951141a7cc

Download Submit
memory/816-132-0x0000000000000000-mapping.dmp

Download
memory/5028-138-0x0000000000000000-mapping.dmp

Download
memory/5028-140-0x0000000005D50000-0x0000000005DEC000-memory.dmp

Filesize
624KB

Download
memory/5028-141-0x00000000063A0000-0x0000000006944000-memory.dmp

Filesize
5.6MB

Download
memory/5028-142-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5028-143-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads