matanbuchus | 34839e85cb8ae781654f2f9f0529114dbf21399e02bea3c9de94f6c247807e7e

Resubmissions

30-06-2022 09:32

220630-lhz2fsbhd8 10

05-05-2022 13:14

220505-qgy5zsafhk 10

Analysis

max time kernel
136s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
05-05-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5713de.msi
Size

1.0MB
MD5

b8520a4e0945ba689030685895d6bed8
SHA1

ea8b828430149f67f45f9a71ee486bc674e21da7
SHA256

34839e85cb8ae781654f2f9f0529114dbf21399e02bea3c9de94f6c247807e7e
SHA512

f35feec25d6aa629b050c0ec3f8ac2d94887cc05eba11e7bb816aec1c60a6a5ad0f3703bd4e28a8753717b14225ea46364a518d76531e3534d6a4c4fbca2b966

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	4972	msiexec.exe
23	4972	msiexec.exe
25	4972	msiexec.exe
28	4972	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3164	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1AAC3542-0FCE-D181-BA94-D6EA62B9ED71}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEBA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cae3.msi	msiexec.exe
File created	C:\Windows\Installer\e57cae1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cae1.msi	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5052	2908	WerFault.exe	43

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	msiexec.exe
4576	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4972	msiexec.exe
Token: SeSecurityPrivilege	4576	msiexec.exe
Token: SeCreateTokenPrivilege	4972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4972	msiexec.exe
Token: SeLockMemoryPrivilege	4972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4972	msiexec.exe
Token: SeMachineAccountPrivilege	4972	msiexec.exe
Token: SeTcbPrivilege	4972	msiexec.exe
Token: SeSecurityPrivilege	4972	msiexec.exe
Token: SeTakeOwnershipPrivilege	4972	msiexec.exe
Token: SeLoadDriverPrivilege	4972	msiexec.exe
Token: SeSystemProfilePrivilege	4972	msiexec.exe
Token: SeSystemtimePrivilege	4972	msiexec.exe
Token: SeProfSingleProcessPrivilege	4972	msiexec.exe
Token: SeIncBasePriorityPrivilege	4972	msiexec.exe
Token: SeCreatePagefilePrivilege	4972	msiexec.exe
Token: SeCreatePermanentPrivilege	4972	msiexec.exe
Token: SeBackupPrivilege	4972	msiexec.exe
Token: SeRestorePrivilege	4972	msiexec.exe
Token: SeShutdownPrivilege	4972	msiexec.exe
Token: SeDebugPrivilege	4972	msiexec.exe
Token: SeAuditPrivilege	4972	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4972	msiexec.exe
Token: SeChangeNotifyPrivilege	4972	msiexec.exe
Token: SeRemoteShutdownPrivilege	4972	msiexec.exe
Token: SeUndockPrivilege	4972	msiexec.exe
Token: SeSyncAgentPrivilege	4972	msiexec.exe
Token: SeEnableDelegationPrivilege	4972	msiexec.exe
Token: SeManageVolumePrivilege	4972	msiexec.exe
Token: SeImpersonatePrivilege	4972	msiexec.exe
Token: SeCreateGlobalPrivilege	4972	msiexec.exe
Token: SeBackupPrivilege	2400	vssvc.exe
Token: SeRestorePrivilege	2400	vssvc.exe
Token: SeAuditPrivilege	2400	vssvc.exe
Token: SeBackupPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4972	msiexec.exe
4972	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4256	4576	msiexec.exe	106
PID 4576 wrote to memory of 4256	4576	msiexec.exe	106
PID 4576 wrote to memory of 3164	4576	msiexec.exe	108
PID 4576 wrote to memory of 3164	4576	msiexec.exe	108
PID 4576 wrote to memory of 3164	4576	msiexec.exe	108

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5713de.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4256
- \??\c:\windows\SysWoW64\regsvr32.exe
  c:\windows\SysWoW64\regsvr32.exe -e -n -i:"TrustedPublisher" "C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls" Office
  2⤵
  - Loads dropped DLL
  PID:3164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2908 -ip 2908
1⤵
PID:4572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 2020
1⤵
- Program crash
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
727B

MD5
d05edf0029b13b4c2a3831575be90fbc

SHA1
e14098d994080d3f7bbfb7f3a33954f4a4145d17

SHA256
4dc8cd12b288da059a75fbfaa5be7f3180a0d145a0068b7e646019c2ed24fd39

SHA512
6d27c15885709f4ceb6c53edf3d9075e817d02d3740f750ed7f016675b30f48c785734a34edd22c51b10bcf8112f6ae6049f9d8294d63f8522d5c55a7510743d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_AA53F781F7F4C895625B394C44214055

Filesize
638B

MD5
21f0dc7fa1698d70999693fb903d9b89

SHA1
313f1926878cd38edd11c2d036455e9cc1e2b008

SHA256
a84c0466e0963c7d4c6901dd90500d9b7cbc520c36bf684a06c16ceb7605a97c

SHA512
d5fb6c4f778b09b305d6d98721dd869d2515c8f0f97f95f00ddbeba3b51e2bb004b25427997d268e598b4581a6edf3d0be437dbc16324b32931b05ea29b14a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
471B

MD5
42a07d52d74158b87b68620f3e7414c3

SHA1
36f32e77191c91eeb6f21361b09f7d7b7a3fbd12

SHA256
6d4c08cced085eccf1c442bd3f0dbf1108f492331096aae2482c316fc6eed554

SHA512
086020ae8c03459d5f59876086ff1197d6fedaed8aea43ad5a08bed665cb691f6d87263bbae5c7b5fcc584d27ea7e46c46f1c7ce5bf55dfa1edaa625dfc7119f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
398B

MD5
24725305641ac1e106e03389086e09ce

SHA1
9059a13ccb65f8c2bb5f710adc6e8a90cc2d7715

SHA256
23b9f513bb22021ed64f7f0321d108266e8c18adc028e1b581719b0d4767ffbf

SHA512
5f95c12277a57ee91838176a6660d13a4579ab68f240434cc2f24590c6df6e071c7d0ca4bf6bfe0246b82e30ba7c6c87a78a62106255d750c839b73e2e38dbb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_AA53F781F7F4C895625B394C44214055

Filesize
398B

MD5
59580eafd731fd5fd9cb4368ec7845b5

SHA1
aaa15eaff2216912f344170f60eb6a8120cc307a

SHA256
1bc6aeb53a52967e9b7ef3a6d011f98e7ab4a81f0ccaa0fb1143ba920ada7cda

SHA512
b3386c79eb672e33738b429ad2eb3bac434014c752d84ed67c7d1525ca48d6d4c910669b35a0f2c4df6b5f43ec7607aff4c27c932be066473c086f40d4144ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
396B

MD5
577546eaebcdfc3f029d2805ba1935f9

SHA1
fb1526a895187dd43b11bcb6e8598ec25368db36

SHA256
acdc4af75c76ec68e59f42f50c0be08caae92c76b82212c5abc858d785db010a

SHA512
319bd6ee490620623baf83f3a4e7139bdf927df9ad22cc3f4c3563285e7811929cc34b2987a5824d3c3e4f139daeee56211e0258a39b90a7cec5738f879dba01

Download Submit
C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls

Filesize
1.5MB

MD5
d902d9b6580de0f0264e23b4000b5070

SHA1
9ca85ea9142c2135fc912bbbcb6d1db85c40f3a4

SHA256
67a9e8599ab71865a97e75dae9be438c24d015a93e6a12fb5b450ec558528290

SHA512
c971dacbfd9b9bb9e6a6f6d666576c2ff5f8854941b5b9c5057d907032cdba902fab7723bcb2b81108b2657edc964ef90d78f2a43252714350129e72b3c4416b

Download Submit
C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls

Filesize
1.5MB

MD5
d902d9b6580de0f0264e23b4000b5070

SHA1
9ca85ea9142c2135fc912bbbcb6d1db85c40f3a4

SHA256
67a9e8599ab71865a97e75dae9be438c24d015a93e6a12fb5b450ec558528290

SHA512
c971dacbfd9b9bb9e6a6f6d666576c2ff5f8854941b5b9c5057d907032cdba902fab7723bcb2b81108b2657edc964ef90d78f2a43252714350129e72b3c4416b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
481821b756c12054bf92d5997159283b

SHA1
0fef45e3c09b11ba79ea2661b7f314a7b1772b83

SHA256
9b97c6ca514326aae774c1616d008a23ea0935032d1708d642858c117d85d081

SHA512
5913fb1d4a035c8a5beb5bb9476cd931393682591feb66084ab5a24293e8a51981ac32fd60e7ed4f71f6de091c5f933fdc8d1600d06795155ce6965ee12bcf39

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fcd3167c-6059-42b5-ab98-fcb6807b7b31}_OnDiskSnapshotProp

Filesize
5KB

MD5
cadfadacad1eea5176998acc4128804b

SHA1
23849461d5c7f62c70f1215d2b744e3828f93663

SHA256
ee0a1b44e027bd987f08c2897ed07eec4bd39236552e8d424273e4d4140ea518

SHA512
9cb9ffc45d1f2e63ea3af51bd58d52428a630ec99f96dd0f111014b62b171b5b300ea7e0621ed01965a7c1da1dfece1abe782c1ea4996e0242388e896ae76368

Download Submit