matanbuchus | 4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3

Analysis

max time kernel
146s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3.msi
Size

224KB
MD5

d141ec71b5b9443bc23b64c43ce9c36f
SHA1

2fe64fa393c29dc4f865164ee32f34626e159a26
SHA256

4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3
SHA512

eb9e14af6c44b631f2c13dce7a56f4b9431443bef4195c57a50b15b963c0bdcc417521e8c9608dbc43fcdb1faeac9cea81a91c873280d13d509a9505e5f5c0f6

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	4772	msiexec.exe
5	4772	msiexec.exe
7	4772	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3188	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DE48BEB9-96B7-4A1A-BF93-6330D5ED70B9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DF8.tmp	msiexec.exe
File created	C:\Windows\Installer\e571c15.msi	msiexec.exe
File created	C:\Windows\Installer\e571c13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571c13.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4256	msiexec.exe
4256	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4772	msiexec.exe
Token: SeSecurityPrivilege	4256	msiexec.exe
Token: SeCreateTokenPrivilege	4772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4772	msiexec.exe
Token: SeLockMemoryPrivilege	4772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4772	msiexec.exe
Token: SeMachineAccountPrivilege	4772	msiexec.exe
Token: SeTcbPrivilege	4772	msiexec.exe
Token: SeSecurityPrivilege	4772	msiexec.exe
Token: SeTakeOwnershipPrivilege	4772	msiexec.exe
Token: SeLoadDriverPrivilege	4772	msiexec.exe
Token: SeSystemProfilePrivilege	4772	msiexec.exe
Token: SeSystemtimePrivilege	4772	msiexec.exe
Token: SeProfSingleProcessPrivilege	4772	msiexec.exe
Token: SeIncBasePriorityPrivilege	4772	msiexec.exe
Token: SeCreatePagefilePrivilege	4772	msiexec.exe
Token: SeCreatePermanentPrivilege	4772	msiexec.exe
Token: SeBackupPrivilege	4772	msiexec.exe
Token: SeRestorePrivilege	4772	msiexec.exe
Token: SeShutdownPrivilege	4772	msiexec.exe
Token: SeDebugPrivilege	4772	msiexec.exe
Token: SeAuditPrivilege	4772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4772	msiexec.exe
Token: SeChangeNotifyPrivilege	4772	msiexec.exe
Token: SeRemoteShutdownPrivilege	4772	msiexec.exe
Token: SeUndockPrivilege	4772	msiexec.exe
Token: SeSyncAgentPrivilege	4772	msiexec.exe
Token: SeEnableDelegationPrivilege	4772	msiexec.exe
Token: SeManageVolumePrivilege	4772	msiexec.exe
Token: SeImpersonatePrivilege	4772	msiexec.exe
Token: SeCreateGlobalPrivilege	4772	msiexec.exe
Token: SeBackupPrivilege	1544	vssvc.exe
Token: SeRestorePrivilege	1544	vssvc.exe
Token: SeAuditPrivilege	1544	vssvc.exe
Token: SeBackupPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe
Token: SeTakeOwnershipPrivilege	4256	msiexec.exe
Token: SeRestorePrivilege	4256	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4772	msiexec.exe
4772	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2560	4256	msiexec.exe	92
PID 4256 wrote to memory of 2560	4256	msiexec.exe	92
PID 4256 wrote to memory of 8	4256	msiexec.exe	94
PID 4256 wrote to memory of 8	4256	msiexec.exe	94
PID 4256 wrote to memory of 2436	4256	msiexec.exe	95
PID 4256 wrote to memory of 2436	4256	msiexec.exe	95
PID 2436 wrote to memory of 3188	2436	regsvr32.exe	96
PID 2436 wrote to memory of 3188	2436	regsvr32.exe	96
PID 2436 wrote to memory of 3188	2436	regsvr32.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2560
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:8
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:3188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
727B

MD5
7928c3688d855f9c7c83bb0533fdc463

SHA1
d8bd219cd2b4b5d92b9f33ad8f5d4f7469f78755

SHA256
8b4f7f9bfba7694bba0f73951f1a50e64d3cea560b18c9bb63366abfc0d0cd0a

SHA512
b6df399bdfa2a122dac8206b770faf9fc2af136bff614eaa43b7f134a4a0716165c87e984305471f56b07338faba078386a4efccd4df06375ada74c79303ec82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
dbd0ea3109b08b1c543287c52f386fa2

SHA1
f062abf3894c0a5dddb21b19782466db11ead513

SHA256
d32d6c2ddd4165ff710d503cd874aa96a7c45a74d08b98eb6ba6e1f8ce86bc18

SHA512
f2a56b17c9562fe6fa4e8f91a7aca9f1c29053ea0fe26be109b6e0ba99bac756dc4e2d27b2c7c98e60008c8e4ff4c87ff063f4f4272dfb59436f56de14fb3555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
f474c3d8f429cd5ff4d2329bd9d6f5d1

SHA1
6bbcd791efb8aa87bc3890bc39ae2d45f5b09681

SHA256
b4f375e126a9290507ca3073a10be2a2e02cc435e4e2e45333e8ecededa38781

SHA512
f38f525927a1303180f8775ff27dd5c8d525f5eb8ef4498d88f1cabc99bd8ccf9604b47d5168145f4665c22df04ca3965811db6e92a48c40714132ed457ed3f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e8acc7df93c7c2bc9c1b992a0c4ce4e7

SHA1
163b2b08e07e8e6ad83a06cc1646a21932c830ca

SHA256
c464d235bd6ed2a119e8f84a7be74b7e026967d8bbce17da7668982a677194d3

SHA512
8c0ba888b48d6cff178728d940b9a829ec97b22ca1930e6a6e877e4857b77f6bb26d355c434279aae856b980a5df8c0fe53b32a335eec0ac2ee6c42e46c19043

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1d6287d86b1a88672f9fde5112b9236c

SHA1
88831895db9718ba5a4ae9b9dea837e08066d9b9

SHA256
4159c5a50848585ed7cbabc18000602d271c859a5cbef5db5e5db2663000acec

SHA512
48b1a9c4da8b2af9116e3975567b5e66a0509c05f63d75a61d425d78c49d5a44ca7fafadd884146f21df8b039ea56ef8e07501ebf9ae78629a7d37b7727d5bf0

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1d6287d86b1a88672f9fde5112b9236c

SHA1
88831895db9718ba5a4ae9b9dea837e08066d9b9

SHA256
4159c5a50848585ed7cbabc18000602d271c859a5cbef5db5e5db2663000acec

SHA512
48b1a9c4da8b2af9116e3975567b5e66a0509c05f63d75a61d425d78c49d5a44ca7fafadd884146f21df8b039ea56ef8e07501ebf9ae78629a7d37b7727d5bf0

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
217c2430ddf2ec083b9d92f95a4eba3c

SHA1
30032e3d602196fc3d6f68ce7672634ffa072b33

SHA256
d21b05eb9194fb93cf670ac84648b3092541278aee958845216aaaedc90d6232

SHA512
c7deef569591233cd5917d9df1a77316e5d17726929d80625d650d42c9c9d47a71728b2f63df766d9d69a4443930937be34d3901f99161949cbf049d808abeca

Download Submit
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{78fc61f5-850b-43b8-9314-a9ffff59c15c}_OnDiskSnapshotProp

Filesize
5KB

MD5
8a7ab8ef8282795b84d8665348f59bd7

SHA1
0ed8cb163c53f51cef9ec51dba15a432b14b9a0f

SHA256
5632443d8b9b2895891ba8fed6a86e595aefe519f09e014579501ae102644c64

SHA512
7fa58b423b9447134d3df2c27518f3b3d0f18d956a50f4d0fdb508bdb0e8217af2dab7105ea68ab7f02302f0420262c19d90a664fa4f3c9b3dbedecb8974c6c7

Download Submit