Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-01-2023 20:31
General
-
Target
b368b4f8ba0c292896547adf2a35f967.exe
-
Size
704KB
-
MD5
b368b4f8ba0c292896547adf2a35f967
-
SHA1
02db58020730eb1fb7169c3d4ccc6f17aa3b6037
-
SHA256
2e11a21dab7ad117856ecb9f80cdb22241bf6b4a0f231e05483bdddf997fbae5
-
SHA512
0412f02ee3feb86daca01131d7f7fd52037ed6484edd8188c62eeb9c43db7fa6443d5ce9ed3b9c2daba70cadba8d71badecb6dc2670c85b64a6829e80e194d11
-
SSDEEP
12288:aCe8LxGQ7MRSRAsDYeQBWlWc4b70eU06zTwjZ++R5Mi6/ZVgCp0TLAXZoCzZWpfb:aN88Q7aQjDYLWlhW7JUyZ++R5PyZ5pcN
Malware Config
Signatures
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main payload 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"C:\Users\Admin\AppData\Local\Temp\b368b4f8ba0c292896547adf2a35f967.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 18923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4328 -ip 43281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xmlFilesize
1KB
MD5e93833a5dc811722d20e043ecd456098
SHA10b3219317882da8cd167b9129384d11d9f08e482
SHA2564e6246a2b91980f9c86b85ec9941875fe41bdb8c13ef7f189ee4560fa8a8e189
SHA512c69144a3aa4a52cf888c206d85d41db7aeca5348b186d45cf027b7a364145e870bced07595f84002f7f36dceed3bfc2a85848113be1c5b1e72240979b019c1b5
-
memory/376-136-0x0000000000000000-mapping.dmp
-
memory/2540-134-0x0000000000AFA000-0x0000000000B00000-memory.dmpFilesize
24KB
-
memory/2540-135-0x0000000000AFA000-0x0000000000B00000-memory.dmpFilesize
24KB
-
memory/4328-133-0x0000000000000000-mapping.dmp
-
memory/4328-138-0x00000000057F0000-0x000000000588C000-memory.dmpFilesize
624KB
-
memory/4328-139-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4328-140-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4328-141-0x0000000005900000-0x0000000005966000-memory.dmpFilesize
408KB
-
memory/4884-132-0x0000000000000000-mapping.dmp