Overview

overview

10

Static

static

SCAN-068589.pdf.msi

windows7_x64

10

SCAN-068589.pdf.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCAN-068589.pdf.msi

  • Size

    224KB

  • MD5

    c0ee31bc6536ae8cb7e5d8809676920a

  • SHA1

    b21482d1072e5cb65488f2c181f38c75d8c80dcd

  • SHA256

    2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4

  • SHA512

    66ed8f4762f3cb7b4026c9d7eeaec2ee4e8275495d527f99fd163d0a72f436ef2e2fdad88f7dcad87e3dd10c7afffe7b2f0f6c3412de68c16e96f9377cb4fe1d

Score
10/10
matanbuchusloader

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-068589.pdf.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:884
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        3⤵
        • Loads dropped DLL
        PID:1076
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1448
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:944
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "00000000000003C0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1816

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      1KB

      MD5

      78f2fcaa601f2fb4ebc937ba532e7549

      SHA1

      ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

      SHA256

      552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

      SHA512

      bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f9a5e0a13c6703bb4260cee82f20a2d5

      SHA1

      639e6af9cd9aac1a2f99b413f4b0447b7f9cb32a

      SHA256

      d4dc696f2177b86a83f8521663c2501525be3a6ae4e17e0eb25c6bafdf30fd66

      SHA512

      1e0863578f573caad974ab82d6add8607c0e812a47fcab7b58c27a342a6baae1793ad504e50a4366a90769172c69c35175b5dec4fa9540e06c7cff4fe4911cd5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      254B

      MD5

      80e8ab93f703cd63356d7a83314e80d5

      SHA1

      abd414aaa0bb571f02b8e8e2cfdd56e1a2f6e9fa

      SHA256

      a14e9481a8704dcade5eb7d7a48d8510d7bd6b200947ba1bebdac3e673c871e4

      SHA512

      1ce4a8ea8683ebd12c7ca423ecc127c13b7684a70243e9784af32c9b2dace5e556834c39f3b1247184a2ef18d4d3df1f35d9ade8cd22ee81ff960ede20f055f2

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      93f85342ebefa3b658ee04dc42c0df3a

      SHA1

      844736386b67d21566b7a23bedd42c4bb0223c3d

      SHA256

      60f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d

      SHA512

      3cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      93f85342ebefa3b658ee04dc42c0df3a

      SHA1

      844736386b67d21566b7a23bedd42c4bb0223c3d

      SHA256

      60f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d

      SHA512

      3cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2

      Download Submit
    • memory/884-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1076-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1076-66-0x0000000075741000-0x0000000075743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1448-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1992-60-0x0000000000000000-mapping.dmp
      Download