Overview

overview

10

Static

static

3

54632e7d37...7d.exe

windows7-x64

3

54632e7d37...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54632e7d37d3142474baff846284247d.exe

  • Size

    812KB

  • MD5

    54632e7d37d3142474baff846284247d

  • SHA1

    dfd39606a2dce9ffe5887f494d2cba0ee3c8bd22

  • SHA256

    dbe6359af1e119c871d0811f321e2ee4044eaf6ec65c68623937d096c197fe8c

  • SHA512

    0679ef0eb7b973cef0ebb94bc4e8b0eaf2e5a9ef587b4c54fe81dc984d762bda60266ba83da24bbd5cf9f42110f78b7850e3e4a5cdec8c88037734bf5ccd95ee

  • SSDEEP

    12288:2Pp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXMpJXfXUy/Wj:2Dpjtacljjy4OyJC+Ah+yFQzHm2G

Score
10/10
matiexkeyloggerstealer

Malware Config

Extracted

Family

matiex

Credentials

Signatures

  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main payload 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
    "C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe"
    1⤵
      PID:1984
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOZtQE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:60
      • C:\Users\Admin\AppData\Local\Temp\54632e7d37d3142474baff846284247d.exe
        "{path}"
        2⤵
          PID:1004
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1956
            3⤵
            • Program crash
            PID:3988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1004 -ip 1004
        1⤵
          PID:4012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\54632e7d37d3142474baff846284247d.exe.log
          Filesize

          1KB

          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp
          Filesize

          1KB

          MD5

          4f33396edf0ec8c4d94598faccf8ba85

          SHA1

          94605aea1265f6ae024dd15c4ae9e0d642c85141

          SHA256

          88c36223505be94d4a2722b16a636c0fc98849b2960faf41daa425fff2590c23

          SHA512

          49bcdaa783bb008943e82a47f6286747cfc0033ba4aec5a3b9e82f7bc7312c11a5733cddb417a0e3a10a3bf546c760f719e77842bc184d6562696b7c25c31fc8

          Download Submit

        • memory/1004-22-0x00000000743C0000-0x0000000074B70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1004-15-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1004-18-0x00000000743C0000-0x0000000074B70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1004-21-0x00000000052D0000-0x00000000052E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1004-20-0x0000000005420000-0x0000000005486000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1984-10-0x000000000A010000-0x000000000A0CC000-memory.dmp

          Filesize

          752KB

          Download

        • memory/1984-8-0x00000000743C0000-0x0000000074B70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1984-9-0x0000000004F50000-0x0000000004F60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1984-1-0x00000000743C0000-0x0000000074B70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1984-11-0x0000000009DB0000-0x0000000009E62000-memory.dmp

          Filesize

          712KB

          Download

        • memory/1984-6-0x0000000005430000-0x0000000005438000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1984-7-0x00000000061E0000-0x000000000627C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1984-5-0x0000000005140000-0x000000000514A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1984-19-0x00000000743C0000-0x0000000074B70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1984-4-0x0000000004F50000-0x0000000004F60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1984-0-0x00000000004C0000-0x0000000000592000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1984-3-0x0000000004F80000-0x0000000005012000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1984-2-0x0000000005490000-0x0000000005A34000-memory.dmp

          Filesize

          5.6MB

          Download