matiex | 9704d0420f573639eed3b1765ea5f212ba4c3129333f2efc167a1c0724935419

General

Target

Itemslists.scr
Size

488KB
MD5

b95e010955432d3e5a2e63d54c01e1b2
SHA1

9a9e7575f960483591ac327e092e1a3fb041208a
SHA256

1b68f5ab26d4fd7c7ca1933dd8dcc6f6f879104a072dc92f9d5917ad42a3cfd7
SHA512

f2fca4e5ac2469f8a4466520b154bfa3567a8e060dd14e11692ddf904cea86b7b8eee859e2b125e7234dde956d2e89b000fb7ebcb0648720b822ea4624b0a024
SSDEEP

12288:+g2Sh8cpTmGuh+6soYYhBHDejsgJEaTOL1p6O5n+vToVe:+gRh8xAkFBHDe7bTIW0Ve

Score

10^/10

matiex keylogger stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
coronavirus2020
Email To:
[email protected]

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 5 IoCs

resource	yara_rule
behavioral3/memory/2244-16-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral3/memory/2244-20-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral3/memory/2244-18-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral3/memory/2244-14-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral3/memory/2244-13-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app
2	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 2244	1036	Itemslists.scr	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	2244	WerFault.exe	30

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2624	1036	Itemslists.scr	28
PID 1036 wrote to memory of 2624	1036	Itemslists.scr	28
PID 1036 wrote to memory of 2624	1036	Itemslists.scr	28
PID 1036 wrote to memory of 2624	1036	Itemslists.scr	28
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 1036 wrote to memory of 2244	1036	Itemslists.scr	30
PID 2244 wrote to memory of 1620	2244	MSBuild.exe	32
PID 2244 wrote to memory of 1620	2244	MSBuild.exe	32
PID 2244 wrote to memory of 1620	2244	MSBuild.exe	32
PID 2244 wrote to memory of 1620	2244	MSBuild.exe	32

C:\Users\Admin\AppData\Local\Temp\Itemslists.scr
"C:\Users\Admin\AppData\Local\Temp\Itemslists.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AxOLPSrlQrex" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1636
    3⤵
    - Program crash
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp

Filesize
1KB

MD5
345c5fc680185061cfb1034161643a87

SHA1
cbfcd4d6aa31d40b6dadcaab67b8bbf0ec6c2f32

SHA256
93e2744d35376de2cbc0fa91c9fd397cb3c2ccc684ba2b85cd8fc5ddc935aa79

SHA512
ea789c077d37e39690896c1459ae499bcd521cf6e3eca9a989030973f6d68455abfb099749ad79c88338c3b3fa5c9f21c019062628af2005251ac71769bd8254

Download Submit
memory/1036-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/1036-2-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1036-3-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1036-4-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-5-0x0000000004EF0000-0x0000000004F6C000-memory.dmp

Filesize
496KB

Download
memory/1036-21-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-16-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-20-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-18-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-15-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-13-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-11-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2244-12-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads