Overview

overview

10

Static

static

5dcbffef86...da.msi

windows7_x64

10

5dcbffef86...da.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-06-2022 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi

  • Size

    224KB

  • MD5

    4d5da2273e2d7cce6ac37027afd286af

  • SHA1

    85a659971ad5aea58ff20a078532e688f7e1659b

  • SHA256

    5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da

  • SHA512

    8bfea7fa9de79312239c1b4f042e3955d31a12483dd7770f71f145fc8abd3deba35257386f1d3048b3203945017494317e237ad887039cf4b5547103eb2e03c1

Score
10/10
matanbuchusloader

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1216
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        3⤵
        • Loads dropped DLL
        PID:1596
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000554" "0000000000000068"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:812

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      1KB

      MD5

      78f2fcaa601f2fb4ebc937ba532e7549

      SHA1

      ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

      SHA256

      552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

      SHA512

      bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      087a47600d82cfd9881d5ac5eadeb1ba

      SHA1

      d763c1dc3bfa366ce505f9d4d8c62f6f81c4381f

      SHA256

      fced39cff3dcffe3dfd139260330637e0c4cb039c6d9c60011eb869389fc5dd1

      SHA512

      cd8cb063ec8d5def86cf3ed544c36adcad2e1209e4549fc41b1427caad6d8476352d9dd630a05b917d336fe5a8cb8824f4272bf1188e9a3a0b2950263a393450

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      254B

      MD5

      9095fd7dcf536e2d4eeb6d53684f19d3

      SHA1

      2c6817aa5f84780fcfd902f0602502c7565e7534

      SHA256

      fe7f2fa20086ed5c889cfa23330730d379c7ca68fa7682a1c9135497b5ba9d84

      SHA512

      9518f6627741ebe69383ca295d777ba34b1aa8287d81901b5c59427fa2959ef6708103007961c8f3f1815bc4ec2f2674db0965732b4cdba2cfd26c7ece7070b9

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      1c5a0d343167085442299c29f3d88056

      SHA1

      3815625d50b7c9290c4bf424e356c332e6dd295b

      SHA256

      8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

      SHA512

      1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      1c5a0d343167085442299c29f3d88056

      SHA1

      3815625d50b7c9290c4bf424e356c332e6dd295b

      SHA256

      8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

      SHA512

      1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

      Download Submit
    • memory/1072-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1216-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1596-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-66-0x0000000075951000-0x0000000075953000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1720-60-0x0000000000000000-mapping.dmp
      Download