Overview

overview

10

Static

static

10

b368b4f8ba...67.exe

windows7-x64

10

b368b4f8ba...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b368b4f8ba0c292896547adf2a35f967.exe

  • Size

    704KB

  • MD5

    b368b4f8ba0c292896547adf2a35f967

  • SHA1

    02db58020730eb1fb7169c3d4ccc6f17aa3b6037

  • SHA256

    2e11a21dab7ad117856ecb9f80cdb22241bf6b4a0f231e05483bdddf997fbae5

  • SHA512

    0412f02ee3feb86daca01131d7f7fd52037ed6484edd8188c62eeb9c43db7fa6443d5ce9ed3b9c2daba70cadba8d71badecb6dc2670c85b64a6829e80e194d11

  • SSDEEP

    12288:aCe8LxGQ7MRSRAsDYeQBWlWc4b70eU06zTwjZ++R5Mi6/ZVgCp0TLAXZoCzZWpfb:aN88Q7aQjDYLWlhW7JUyZ++R5PyZ5pcN

Score
10/10
matiexcollectionkeyloggerspywarestealer

Malware Config

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main payload 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe
    "C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"
        3⤵
        • Creates scheduled task(s)
        PID:376
    • C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe
      "C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4328
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1892
        3⤵
        • Program crash
        PID:680
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4328 -ip 4328
    1⤵
      PID:2128

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml
      Filesize

      1KB

      MD5

      e93833a5dc811722d20e043ecd456098

      SHA1

      0b3219317882da8cd167b9129384d11d9f08e482

      SHA256

      4e6246a2b91980f9c86b85ec9941875fe41bdb8c13ef7f189ee4560fa8a8e189

      SHA512

      c69144a3aa4a52cf888c206d85d41db7aeca5348b186d45cf027b7a364145e870bced07595f84002f7f36dceed3bfc2a85848113be1c5b1e72240979b019c1b5

      Download Submit

    • memory/2540-134-0x0000000000AFA000-0x0000000000B00000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2540-135-0x0000000000AFA000-0x0000000000B00000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4328-138-0x00000000057F0000-0x000000000588C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4328-139-0x0000000005E40000-0x00000000063E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4328-140-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4328-141-0x0000000005900000-0x0000000005966000-memory.dmp

      Filesize

      408KB

      Download