matiex | c1f48df6bc08fbcc1d87a604d3b71d8db009e1d86d845a86363942b48f51880a

General

Target

be5b21387901bb069615fd1b4ed206c5.exe
Size

640KB
MD5

be5b21387901bb069615fd1b4ed206c5
SHA1

1b165159320a2383b3660897f8d22f69d38ff445
SHA256

c1f48df6bc08fbcc1d87a604d3b71d8db009e1d86d845a86363942b48f51880a
SHA512

eb1084ddd5d6b7edc3e9fbd78585122ed998de3e4aa0ea9127896e352a543d6fd81182f50aec79e1a750615512e8b2709811684f6ade950113dd39eb6d8fd8f1
SSDEEP

12288:aCe8LxGQ7MRSRAsDYeQBWlWc4b70eU06zTwjZ++R5Mi6/ZVgCp0TLAXZoCzZW:aN88Q7aQjDYLWlhW7JUyZ++R5PyZ5pcQ

Score

10^/10

matiex collection keylogger spyware stealer

Malware Config

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/368-143-0x0000000000400000-0x0000000000482000-memory.dmp	family_matiex

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

be5b21387901bb069615fd1b4ed206c5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	be5b21387901bb069615fd1b4ed206c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	be5b21387901bb069615fd1b4ed206c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	be5b21387901bb069615fd1b4ed206c5.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
15 freegeoip.app
16 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.exe

description pid process target process

PID 1756 set thread context of 368 1756 be5b21387901bb069615fd1b4ed206c5.exe be5b21387901bb069615fd1b4ed206c5.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4236 368 WerFault.exe be5b21387901bb069615fd1b4ed206c5.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2752 schtasks.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.exebe5b21387901bb069615fd1b4ed206c5.exebe5b21387901bb069615fd1b4ed206c5.exe

pid process

4984 be5b21387901bb069615fd1b4ed206c5.exe
2616 be5b21387901bb069615fd1b4ed206c5.exe
1756 be5b21387901bb069615fd1b4ed206c5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.exe

description pid process

Token: SeDebugPrivilege 368 be5b21387901bb069615fd1b4ed206c5.exe

flow	ioc
6	checkip.dyndns.org
15	freegeoip.app
16	freegeoip.app

description	pid	process	target process
PID 1756 set thread context of 368	1756	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe

pid	pid_target	process	target process
4236	368	WerFault.exe	be5b21387901bb069615fd1b4ed206c5.exe

pid	process
2752	schtasks.exe

pid	process
4984	be5b21387901bb069615fd1b4ed206c5.exe
2616	be5b21387901bb069615fd1b4ed206c5.exe
1756	be5b21387901bb069615fd1b4ed206c5.exe

description	pid	process
Token: SeDebugPrivilege	368	be5b21387901bb069615fd1b4ed206c5.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.execmd.exebe5b21387901bb069615fd1b4ed206c5.exebe5b21387901bb069615fd1b4ed206c5.exe

outlook_office_path 1 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	be5b21387901bb069615fd1b4ed206c5.exe

outlook_win_path 1 IoCs

Processes:

be5b21387901bb069615fd1b4ed206c5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	be5b21387901bb069615fd1b4ed206c5.exe

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml"
3⤵
- Creates scheduled task(s)
PID:2752

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
2⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
3⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe
"C:\Users\Admin\AppData\Local\Temp\be5b21387901bb069615fd1b4ed206c5.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1896
5⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 368 -ip 368
1⤵
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1cf577b9dd994dc5b1fb65c6529fbb44.xml
Filesize
1KB

MD5
2feaac3555165aa7b76fabc3984fe19b

SHA1
76710b1b204309f4d057eba17bba71b7444f52af

SHA256
68052979b38f028b24e466114471d2d49568b83a9a7f051a82a72c5ca4e8c01c

SHA512
81cf57a2ad53f9eaf9a21799dc87e7846a1669a370e05597f58ffb87a91f8f38814375e675880a6d9cdb5bb667d47cb875e6fb471d9a9b143f81a83e6f5b6739

Download Submit
memory/368-146-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/368-145-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/368-144-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/368-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/368-140-0x0000000000000000-mapping.dmp

Download
memory/1756-141-0x0000000000D6A000-0x0000000000D70000-memory.dmp

Filesize
24KB

Download
memory/1756-139-0x0000000000000000-mapping.dmp

Download
memory/2232-132-0x0000000000000000-mapping.dmp

Download
memory/2616-135-0x0000000000000000-mapping.dmp

Download
memory/2616-138-0x00000000009FB000-0x0000000000A00000-memory.dmp

Filesize
20KB

Download
memory/2752-134-0x0000000000000000-mapping.dmp

Download
memory/3304-137-0x0000000000000000-mapping.dmp

Download
memory/4208-133-0x0000000000000000-mapping.dmp

Download
memory/4984-136-0x00000000008FB000-0x0000000000900000-memory.dmp

Filesize
20KB

Download

description	pid	process	target process
PID 4984 wrote to memory of 2232	4984	be5b21387901bb069615fd1b4ed206c5.exe	cmd.exe
PID 4984 wrote to memory of 2232	4984	be5b21387901bb069615fd1b4ed206c5.exe	cmd.exe
PID 4984 wrote to memory of 2232	4984	be5b21387901bb069615fd1b4ed206c5.exe	cmd.exe
PID 4984 wrote to memory of 4208	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 4984 wrote to memory of 4208	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 4984 wrote to memory of 4208	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2232 wrote to memory of 2752	2232	cmd.exe	schtasks.exe
PID 2232 wrote to memory of 2752	2232	cmd.exe	schtasks.exe
PID 2232 wrote to memory of 2752	2232	cmd.exe	schtasks.exe
PID 4984 wrote to memory of 2616	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 4984 wrote to memory of 2616	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 4984 wrote to memory of 2616	4984	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 3304	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 3304	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 3304	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 1756	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 1756	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 2616 wrote to memory of 1756	2616	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 1756 wrote to memory of 368	1756	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 1756 wrote to memory of 368	1756	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 1756 wrote to memory of 368	1756	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe
PID 1756 wrote to memory of 368	1756	be5b21387901bb069615fd1b4ed206c5.exe	be5b21387901bb069615fd1b4ed206c5.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads