Analysis
-
max time kernel
138s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 18:20
Static task
static1
Behavioral task
behavioral1
Sample
SCAN-068589.pdf.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SCAN-068589.pdf.msi
Resource
win10v2004-20220414-en
General
-
Target
SCAN-068589.pdf.msi
-
Size
224KB
-
MD5
c0ee31bc6536ae8cb7e5d8809676920a
-
SHA1
b21482d1072e5cb65488f2c181f38c75d8c80dcd
-
SHA256
2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
-
SHA512
66ed8f4762f3cb7b4026c9d7eeaec2ee4e8275495d527f99fd163d0a72f436ef2e2fdad88f7dcad87e3dd10c7afffe7b2f0f6c3412de68c16e96f9377cb4fe1d
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 5 4588 msiexec.exe 6 4588 msiexec.exe 8 4588 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3532 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{CC038BA5-7236-4713-8948-DFF082243638} msiexec.exe File opened for modification C:\Windows\Installer\MSI29B0.tmp msiexec.exe File created C:\Windows\Installer\e5727ed.msi msiexec.exe File created C:\Windows\Installer\e5727eb.msi msiexec.exe File opened for modification C:\Windows\Installer\e5727eb.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3728 msiexec.exe 3728 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4588 msiexec.exe Token: SeIncreaseQuotaPrivilege 4588 msiexec.exe Token: SeSecurityPrivilege 3728 msiexec.exe Token: SeCreateTokenPrivilege 4588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4588 msiexec.exe Token: SeLockMemoryPrivilege 4588 msiexec.exe Token: SeIncreaseQuotaPrivilege 4588 msiexec.exe Token: SeMachineAccountPrivilege 4588 msiexec.exe Token: SeTcbPrivilege 4588 msiexec.exe Token: SeSecurityPrivilege 4588 msiexec.exe Token: SeTakeOwnershipPrivilege 4588 msiexec.exe Token: SeLoadDriverPrivilege 4588 msiexec.exe Token: SeSystemProfilePrivilege 4588 msiexec.exe Token: SeSystemtimePrivilege 4588 msiexec.exe Token: SeProfSingleProcessPrivilege 4588 msiexec.exe Token: SeIncBasePriorityPrivilege 4588 msiexec.exe Token: SeCreatePagefilePrivilege 4588 msiexec.exe Token: SeCreatePermanentPrivilege 4588 msiexec.exe Token: SeBackupPrivilege 4588 msiexec.exe Token: SeRestorePrivilege 4588 msiexec.exe Token: SeShutdownPrivilege 4588 msiexec.exe Token: SeDebugPrivilege 4588 msiexec.exe Token: SeAuditPrivilege 4588 msiexec.exe Token: SeSystemEnvironmentPrivilege 4588 msiexec.exe Token: SeChangeNotifyPrivilege 4588 msiexec.exe Token: SeRemoteShutdownPrivilege 4588 msiexec.exe Token: SeUndockPrivilege 4588 msiexec.exe Token: SeSyncAgentPrivilege 4588 msiexec.exe Token: SeEnableDelegationPrivilege 4588 msiexec.exe Token: SeManageVolumePrivilege 4588 msiexec.exe Token: SeImpersonatePrivilege 4588 msiexec.exe Token: SeCreateGlobalPrivilege 4588 msiexec.exe Token: SeBackupPrivilege 996 vssvc.exe Token: SeRestorePrivilege 996 vssvc.exe Token: SeAuditPrivilege 996 vssvc.exe Token: SeBackupPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4588 msiexec.exe 4588 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeregsvr32.exedescription pid process target process PID 3728 wrote to memory of 5076 3728 msiexec.exe srtasks.exe PID 3728 wrote to memory of 5076 3728 msiexec.exe srtasks.exe PID 3728 wrote to memory of 2256 3728 msiexec.exe regsvr32.exe PID 3728 wrote to memory of 2256 3728 msiexec.exe regsvr32.exe PID 3728 wrote to memory of 1308 3728 msiexec.exe wscript.exe PID 3728 wrote to memory of 1308 3728 msiexec.exe wscript.exe PID 2256 wrote to memory of 3532 2256 regsvr32.exe regsvr32.exe PID 2256 wrote to memory of 3532 2256 regsvr32.exe regsvr32.exe PID 2256 wrote to memory of 3532 2256 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-068589.pdf.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535Filesize
727B
MD57928c3688d855f9c7c83bb0533fdc463
SHA1d8bd219cd2b4b5d92b9f33ad8f5d4f7469f78755
SHA2568b4f7f9bfba7694bba0f73951f1a50e64d3cea560b18c9bb63366abfc0d0cd0a
SHA512b6df399bdfa2a122dac8206b770faf9fc2af136bff614eaa43b7f134a4a0716165c87e984305471f56b07338faba078386a4efccd4df06375ada74c79303ec82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD54b1008f214a88512bef2e60b7734eb95
SHA13c1b32bb284853001397e03365c5e4c12ccd9a2a
SHA25698e95fc1fefc3866b84dee298754a92ba82eea6c78d22f8039e09a5d9fcccb6a
SHA5128b9e3ae05b7b8e1a442ec26fa2fd24f8b6e497d697064546295928e3e30b62fc120136f37df4896decda1d51f0b09be630882b70787c00722244599de67da9fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535Filesize
434B
MD5603e8214be921f05c586f02893f1dfc3
SHA13b1429356fdb4da0eca009709706337555343c7d
SHA256e636cc0a83336ffe8e830e00757cfe6e6018c9d8de1fc16aa20cac4ab2a0aa37
SHA512b93bbadec6184208fe00df6f4c54298c2406e1ef44ac1b78d4bf51a69ab60aed7a1f7a321e59678ca17e9dffb266f81f3d296d610bca8bff4612a324d2e039ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD5dd197f2d52b6af147f77bcb670a7af10
SHA1c0267e83c3967b83b665d8a8de7870e16d7d2c6f
SHA25611da8c8be089ed6a474dd7148a4e2fd742db1d419be4ee2f949e6620c15b693d
SHA512b19ffc5b51df92de61e543405d4ac37666d75277878c7812ff01926687f5d07fe8bf86840738c2c073e73a1b66b204ac5f4479c6b98055dbf3350f4454501ac9
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
401KB
MD593f85342ebefa3b658ee04dc42c0df3a
SHA1844736386b67d21566b7a23bedd42c4bb0223c3d
SHA25660f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d
SHA5123cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
401KB
MD593f85342ebefa3b658ee04dc42c0df3a
SHA1844736386b67d21566b7a23bedd42c4bb0223c3d
SHA25660f030597c75f9df0f7a494cb5432b600d41775cfe5cf13006c1448fa3a68d8d
SHA5123cf20695b83e9b45804214a6b96337cff29da6993db8ba368380ba1e5455b679bba3646f6b27d2bac239caf4f6697fb9087d5679674065eba9d7fd514c85edb2
-
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbsFilesize
68B
MD50308aa2c8dab8a69de41f5d16679bb9b
SHA1c6827bf44a433ff086e787653361859d6f6e2fb3
SHA2560a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489
SHA5121a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5a5f36530475b88cd35f6cda6fb390135
SHA1d82c74e222071c04e9cef4b83478080ae8b00d02
SHA2563e6d31f9d81ce041eea2d5de2439a2d6a2f20c585fbc0543e54b93ede913e8f5
SHA51229438ff56f82a0ff7d7f1c375c7dbf3dacaad3ab5084a6013652d7eb7004c5d0bfff16f86f2f80a6f601da41615ef1b10ee061abcef021c076c5b95ad445d810
-
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a6ece696-8c53-44c1-bd20-4d7e622b64e4}_OnDiskSnapshotPropFilesize
5KB
MD59fb5f9e471be2c540ef4ae28cb53f6d1
SHA1c4ec6078b07a78747405466da64457cd7aca904e
SHA2560a16b242475e713c7f56521ae260c04c212af1b5c49da8b14645ce7f071c4c06
SHA51248b12744ca08cbd3adfed4ede1cd533a25b1832e0a33fd7ab09d4520a8d3c7dfc696aa1ee449ac8a6812f5344dec98869b104d836dabc94a868f59cd2015dc4a
-
memory/1308-136-0x0000000000000000-mapping.dmp
-
memory/2256-135-0x0000000000000000-mapping.dmp
-
memory/3532-138-0x0000000000000000-mapping.dmp
-
memory/5076-130-0x0000000000000000-mapping.dmp