matanbuchus | 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4

Analysis

max time kernel
138s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-06-2022 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN-068589.pdf.msi
Size

224KB
MD5

c0ee31bc6536ae8cb7e5d8809676920a
SHA1

b21482d1072e5cb65488f2c181f38c75d8c80dcd
SHA256

2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
SHA512

66ed8f4762f3cb7b4026c9d7eeaec2ee4e8275495d527f99fd163d0a72f436ef2e2fdad88f7dcad87e3dd10c7afffe7b2f0f6c3412de68c16e96f9377cb4fe1d

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

5 4588 msiexec.exe
6 4588 msiexec.exe
8 4588 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3532 regsvr32.exe

flow	pid	process
5	4588	msiexec.exe
6	4588	msiexec.exe
8	4588	msiexec.exe

pid	process
3532	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CC038BA5-7236-4713-8948-DFF082243638}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29B0.tmp	msiexec.exe
File created	C:\Windows\Installer\e5727ed.msi	msiexec.exe
File created	C:\Windows\Installer\e5727eb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5727eb.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3728 msiexec.exe
3728 msiexec.exe

pid	process
3728	msiexec.exe
3728	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4588	msiexec.exe
Token: SeSecurityPrivilege	3728	msiexec.exe
Token: SeCreateTokenPrivilege	4588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4588	msiexec.exe
Token: SeLockMemoryPrivilege	4588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4588	msiexec.exe
Token: SeMachineAccountPrivilege	4588	msiexec.exe
Token: SeTcbPrivilege	4588	msiexec.exe
Token: SeSecurityPrivilege	4588	msiexec.exe
Token: SeTakeOwnershipPrivilege	4588	msiexec.exe
Token: SeLoadDriverPrivilege	4588	msiexec.exe
Token: SeSystemProfilePrivilege	4588	msiexec.exe
Token: SeSystemtimePrivilege	4588	msiexec.exe
Token: SeProfSingleProcessPrivilege	4588	msiexec.exe
Token: SeIncBasePriorityPrivilege	4588	msiexec.exe
Token: SeCreatePagefilePrivilege	4588	msiexec.exe
Token: SeCreatePermanentPrivilege	4588	msiexec.exe
Token: SeBackupPrivilege	4588	msiexec.exe
Token: SeRestorePrivilege	4588	msiexec.exe
Token: SeShutdownPrivilege	4588	msiexec.exe
Token: SeDebugPrivilege	4588	msiexec.exe
Token: SeAuditPrivilege	4588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4588	msiexec.exe
Token: SeChangeNotifyPrivilege	4588	msiexec.exe
Token: SeRemoteShutdownPrivilege	4588	msiexec.exe
Token: SeUndockPrivilege	4588	msiexec.exe
Token: SeSyncAgentPrivilege	4588	msiexec.exe
Token: SeEnableDelegationPrivilege	4588	msiexec.exe
Token: SeManageVolumePrivilege	4588	msiexec.exe
Token: SeImpersonatePrivilege	4588	msiexec.exe
Token: SeCreateGlobalPrivilege	4588	msiexec.exe
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe
Token: SeBackupPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4588 msiexec.exe
4588 msiexec.exe

pid	process
4588	msiexec.exe
4588	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exeregsvr32.exe

description	pid	process	target process
PID 3728 wrote to memory of 5076	3728	msiexec.exe	srtasks.exe
PID 3728 wrote to memory of 5076	3728	msiexec.exe	srtasks.exe
PID 3728 wrote to memory of 2256	3728	msiexec.exe	regsvr32.exe
PID 3728 wrote to memory of 2256	3728	msiexec.exe	regsvr32.exe
PID 3728 wrote to memory of 1308	3728	msiexec.exe	wscript.exe
PID 3728 wrote to memory of 1308	3728	msiexec.exe	wscript.exe
PID 2256 wrote to memory of 3532	2256	regsvr32.exe	regsvr32.exe
PID 2256 wrote to memory of 3532	2256	regsvr32.exe	regsvr32.exe
PID 2256 wrote to memory of 3532	2256	regsvr32.exe	regsvr32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-068589.pdf.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5076

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
2⤵
PID:1308

C:\Windows\system32\regsvr32.exe
regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\regsvr32.exe
-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
3⤵
- Loads dropped DLL
PID:3532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535
Filesize
727B

MD5
7928c3688d855f9c7c83bb0533fdc463

SHA1
d8bd219cd2b4b5d92b9f33ad8f5d4f7469f78755

SHA256
8b4f7f9bfba7694bba0f73951f1a50e64d3cea560b18c9bb63366abfc0d0cd0a

SHA512
b6df399bdfa2a122dac8206b770faf9fc2af136bff614eaa43b7f134a4a0716165c87e984305471f56b07338faba078386a4efccd4df06375ada74c79303ec82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
4b1008f214a88512bef2e60b7734eb95

SHA1
3c1b32bb284853001397e03365c5e4c12ccd9a2a

SHA256
98e95fc1fefc3866b84dee298754a92ba82eea6c78d22f8039e09a5d9fcccb6a

SHA512
8b9e3ae05b7b8e1a442ec26fa2fd24f8b6e497d697064546295928e3e30b62fc120136f37df4896decda1d51f0b09be630882b70787c00722244599de67da9fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535
Filesize
434B

MD5
603e8214be921f05c586f02893f1dfc3

SHA1
3b1429356fdb4da0eca009709706337555343c7d

SHA256
e636cc0a83336ffe8e830e00757cfe6e6018c9d8de1fc16aa20cac4ab2a0aa37

SHA512
b93bbadec6184208fe00df6f4c54298c2406e1ef44ac1b78d4bf51a69ab60aed7a1f7a321e59678ca17e9dffb266f81f3d296d610bca8bff4612a324d2e039ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
412B

MD5
dd197f2d52b6af147f77bcb670a7af10

SHA1
c0267e83c3967b83b665d8a8de7870e16d7d2c6f

SHA256
11da8c8be089ed6a474dd7148a4e2fd742db1d419be4ee2f949e6620c15b693d

SHA512
b19ffc5b51df92de61e543405d4ac37666d75277878c7812ff01926687f5d07fe8bf86840738c2c073e73a1b66b204ac5f4479c6b98055dbf3350f4454501ac9

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
401KB

MD5
93f85342ebefa3b658ee04dc42c0df3a

SHA1
844736386b67d21566b7a23bedd42c4bb0223c3d

SHA256
60f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d

SHA512
3cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
401KB

MD5
93f85342ebefa3b658ee04dc42c0df3a

SHA1
844736386b67d21566b7a23bedd42c4bb0223c3d

SHA256
60f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d

SHA512
3cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
a5f36530475b88cd35f6cda6fb390135

SHA1
d82c74e222071c04e9cef4b83478080ae8b00d02

SHA256
3e6d31f9d81ce041eea2d5de2439a2d6a2f20c585fbc0543e54b93ede913e8f5

SHA512
29438ff56f82a0ff7d7f1c375c7dbf3dacaad3ab5084a6013652d7eb7004c5d0bfff16f86f2f80a6f601da41615ef1b10ee061abcef021c076c5b95ad445d810

Download Submit
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a6ece696-8c53-44c1-bd20-4d7e622b64e4}_OnDiskSnapshotProp
Filesize
5KB

MD5
9fb5f9e471be2c540ef4ae28cb53f6d1

SHA1
c4ec6078b07a78747405466da64457cd7aca904e

SHA256
0a16b242475e713c7f56521ae260c04c212af1b5c49da8b14645ce7f071c4c06

SHA512
48b12744ca08cbd3adfed4ede1cd533a25b1832e0a33fd7ab09d4520a8d3c7dfc696aa1ee449ac8a6812f5344dec98869b104d836dabc94a868f59cd2015dc4a

Download Submit
memory/1308-136-0x0000000000000000-mapping.dmp

Download
memory/2256-135-0x0000000000000000-mapping.dmp

Download
memory/3532-138-0x0000000000000000-mapping.dmp

Download
memory/5076-130-0x0000000000000000-mapping.dmp

Download