matanbuchus | 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da

Analysis

max time kernel
137s
max time network
89s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-06-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi
Size

224KB
MD5

4d5da2273e2d7cce6ac37027afd286af
SHA1

85a659971ad5aea58ff20a078532e688f7e1659b
SHA256

5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
SHA512

8bfea7fa9de79312239c1b4f042e3955d31a12483dd7770f71f145fc8abd3deba35257386f1d3048b3203945017494317e237ad887039cf4b5547103eb2e03c1

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1216	msiexec.exe
4	1216	msiexec.exe
5	944	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c64ad.msi	msiexec.exe
File created	C:\Windows\Installer\6c64ae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6989.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c64ad.msi	msiexec.exe
File created	C:\Windows\Installer\6c64b0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c64ae.ipi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	msiexec.exe
944	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeSecurityPrivilege	944	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeMachineAccountPrivilege	1216	msiexec.exe
Token: SeTcbPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	1216	msiexec.exe
Token: SeTakeOwnershipPrivilege	1216	msiexec.exe
Token: SeLoadDriverPrivilege	1216	msiexec.exe
Token: SeSystemProfilePrivilege	1216	msiexec.exe
Token: SeSystemtimePrivilege	1216	msiexec.exe
Token: SeProfSingleProcessPrivilege	1216	msiexec.exe
Token: SeIncBasePriorityPrivilege	1216	msiexec.exe
Token: SeCreatePagefilePrivilege	1216	msiexec.exe
Token: SeCreatePermanentPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	1216	msiexec.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeDebugPrivilege	1216	msiexec.exe
Token: SeAuditPrivilege	1216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1216	msiexec.exe
Token: SeChangeNotifyPrivilege	1216	msiexec.exe
Token: SeRemoteShutdownPrivilege	1216	msiexec.exe
Token: SeUndockPrivilege	1216	msiexec.exe
Token: SeSyncAgentPrivilege	1216	msiexec.exe
Token: SeEnableDelegationPrivilege	1216	msiexec.exe
Token: SeManageVolumePrivilege	1216	msiexec.exe
Token: SeImpersonatePrivilege	1216	msiexec.exe
Token: SeCreateGlobalPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1048	vssvc.exe
Token: SeRestorePrivilege	1048	vssvc.exe
Token: SeAuditPrivilege	1048	vssvc.exe
Token: SeBackupPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe
Token: SeTakeOwnershipPrivilege	944	msiexec.exe
Token: SeRestorePrivilege	944	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	msiexec.exe
1216	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1720	944	msiexec.exe	32
PID 944 wrote to memory of 1720	944	msiexec.exe	32
PID 944 wrote to memory of 1720	944	msiexec.exe	32
PID 944 wrote to memory of 1720	944	msiexec.exe	32
PID 944 wrote to memory of 1720	944	msiexec.exe	32
PID 944 wrote to memory of 1072	944	msiexec.exe	33
PID 944 wrote to memory of 1072	944	msiexec.exe	33
PID 944 wrote to memory of 1072	944	msiexec.exe	33
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34
PID 1720 wrote to memory of 1596	1720	regsvr32.exe	34

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:1596
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000554" "0000000000000068"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
087a47600d82cfd9881d5ac5eadeb1ba

SHA1
d763c1dc3bfa366ce505f9d4d8c62f6f81c4381f

SHA256
fced39cff3dcffe3dfd139260330637e0c4cb039c6d9c60011eb869389fc5dd1

SHA512
cd8cb063ec8d5def86cf3ed544c36adcad2e1209e4549fc41b1427caad6d8476352d9dd630a05b917d336fe5a8cb8824f4272bf1188e9a3a0b2950263a393450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
9095fd7dcf536e2d4eeb6d53684f19d3

SHA1
2c6817aa5f84780fcfd902f0602502c7565e7534

SHA256
fe7f2fa20086ed5c889cfa23330730d379c7ca68fa7682a1c9135497b5ba9d84

SHA512
9518f6627741ebe69383ca295d777ba34b1aa8287d81901b5c59427fa2959ef6708103007961c8f3f1815bc4ec2f2674db0965732b4cdba2cfd26c7ece7070b9

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1c5a0d343167085442299c29f3d88056

SHA1
3815625d50b7c9290c4bf424e356c332e6dd295b

SHA256
8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

SHA512
1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1c5a0d343167085442299c29f3d88056

SHA1
3815625d50b7c9290c4bf424e356c332e6dd295b

SHA256
8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

SHA512
1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

Download Submit
memory/1216-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1596-66-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download