matanbuchus | 4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3

Analysis

max time kernel
144s
max time network
112s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-06-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3.msi
Size

224KB
MD5

d141ec71b5b9443bc23b64c43ce9c36f
SHA1

2fe64fa393c29dc4f865164ee32f34626e159a26
SHA256

4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3
SHA512

eb9e14af6c44b631f2c13dce7a56f4b9431443bef4195c57a50b15b963c0bdcc417521e8c9608dbc43fcdb1faeac9cea81a91c873280d13d509a9505e5f5c0f6

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1416	msiexec.exe
4	1416	msiexec.exe
5	1416	msiexec.exe
8	2040	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
928	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6cbe8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cbe8f.msi	msiexec.exe
File created	C:\Windows\Installer\6cbe90.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6cbe92.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cbe90.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC427.tmp	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	1416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1416	msiexec.exe
Token: SeLockMemoryPrivilege	1416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1416	msiexec.exe
Token: SeMachineAccountPrivilege	1416	msiexec.exe
Token: SeTcbPrivilege	1416	msiexec.exe
Token: SeSecurityPrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeLoadDriverPrivilege	1416	msiexec.exe
Token: SeSystemProfilePrivilege	1416	msiexec.exe
Token: SeSystemtimePrivilege	1416	msiexec.exe
Token: SeProfSingleProcessPrivilege	1416	msiexec.exe
Token: SeIncBasePriorityPrivilege	1416	msiexec.exe
Token: SeCreatePagefilePrivilege	1416	msiexec.exe
Token: SeCreatePermanentPrivilege	1416	msiexec.exe
Token: SeBackupPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeShutdownPrivilege	1416	msiexec.exe
Token: SeDebugPrivilege	1416	msiexec.exe
Token: SeAuditPrivilege	1416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1416	msiexec.exe
Token: SeChangeNotifyPrivilege	1416	msiexec.exe
Token: SeRemoteShutdownPrivilege	1416	msiexec.exe
Token: SeUndockPrivilege	1416	msiexec.exe
Token: SeSyncAgentPrivilege	1416	msiexec.exe
Token: SeEnableDelegationPrivilege	1416	msiexec.exe
Token: SeManageVolumePrivilege	1416	msiexec.exe
Token: SeImpersonatePrivilege	1416	msiexec.exe
Token: SeCreateGlobalPrivilege	1416	msiexec.exe
Token: SeBackupPrivilege	1508	vssvc.exe
Token: SeRestorePrivilege	1508	vssvc.exe
Token: SeAuditPrivilege	1508	vssvc.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	1744	DrvInst.exe
Token: SeLoadDriverPrivilege	1744	DrvInst.exe
Token: SeLoadDriverPrivilege	1744	DrvInst.exe
Token: SeLoadDriverPrivilege	1744	DrvInst.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1416	msiexec.exe
1416	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1336	2040	msiexec.exe	31
PID 2040 wrote to memory of 1336	2040	msiexec.exe	31
PID 2040 wrote to memory of 1336	2040	msiexec.exe	31
PID 2040 wrote to memory of 1336	2040	msiexec.exe	31
PID 2040 wrote to memory of 1336	2040	msiexec.exe	31
PID 2040 wrote to memory of 1260	2040	msiexec.exe	32
PID 2040 wrote to memory of 1260	2040	msiexec.exe	32
PID 2040 wrote to memory of 1260	2040	msiexec.exe	32
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33
PID 1336 wrote to memory of 928	1336	regsvr32.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:928
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004B0" "00000000000004AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87088d3c81bed8fbac52c943cc857208

SHA1
4dadc509863aeb9b167a3f815b3f06e641983a37

SHA256
4dfbd45e251745fee4827a6021dde640d7cf963c3c84a23e5d8f996d72f13980

SHA512
6a5f48259d779a6e47e4535346896739b7a9b3a45e0a2c304bb891b11cac202f323c681119293c496753485fcde1fb861a9b461126d8d23d7e636f49369684a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
fb9148ebf38646760b9ca6c55f9e5ced

SHA1
ee492bb660b58823d4d0ee8b99faf7c2902b7048

SHA256
982e267dcaed99956f5bb4316b6852dd797744fc033fabadb5e64de59f2ec6c8

SHA512
9cadf9bb6116b4a0b5d5e01e693bd6bba4e03f45867810c90830e2c34a6334f72807ccedc2aa48700c8e65d610e8d486e8a35d37fc038f750fb9c11598c4be6c

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1d6287d86b1a88672f9fde5112b9236c

SHA1
88831895db9718ba5a4ae9b9dea837e08066d9b9

SHA256
4159c5a50848585ed7cbabc18000602d271c859a5cbef5db5e5db2663000acec

SHA512
48b1a9c4da8b2af9116e3975567b5e66a0509c05f63d75a61d425d78c49d5a44ca7fafadd884146f21df8b039ea56ef8e07501ebf9ae78629a7d37b7727d5bf0

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1d6287d86b1a88672f9fde5112b9236c

SHA1
88831895db9718ba5a4ae9b9dea837e08066d9b9

SHA256
4159c5a50848585ed7cbabc18000602d271c859a5cbef5db5e5db2663000acec

SHA512
48b1a9c4da8b2af9116e3975567b5e66a0509c05f63d75a61d425d78c49d5a44ca7fafadd884146f21df8b039ea56ef8e07501ebf9ae78629a7d37b7727d5bf0

Download Submit
memory/928-66-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1416-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download