matanbuchus | 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi
Size

224KB
MD5

4d5da2273e2d7cce6ac37027afd286af
SHA1

85a659971ad5aea58ff20a078532e688f7e1659b
SHA256

5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
SHA512

8bfea7fa9de79312239c1b4f042e3955d31a12483dd7770f71f145fc8abd3deba35257386f1d3048b3203945017494317e237ad887039cf4b5547103eb2e03c1

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	1752	msiexec.exe
8	1752	msiexec.exe
10	1752	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1276	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{30B85843-25BF-4416-945D-A24035915922}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI150E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57136b.msi	msiexec.exe
File created	C:\Windows\Installer\e571369.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571369.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3824	msiexec.exe
3824	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	3824	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1752	msiexec.exe
Token: SeLockMemoryPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeMachineAccountPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeLoadDriverPrivilege	1752	msiexec.exe
Token: SeSystemProfilePrivilege	1752	msiexec.exe
Token: SeSystemtimePrivilege	1752	msiexec.exe
Token: SeProfSingleProcessPrivilege	1752	msiexec.exe
Token: SeIncBasePriorityPrivilege	1752	msiexec.exe
Token: SeCreatePagefilePrivilege	1752	msiexec.exe
Token: SeCreatePermanentPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeAuditPrivilege	1752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1752	msiexec.exe
Token: SeChangeNotifyPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1752	msiexec.exe
Token: SeUndockPrivilege	1752	msiexec.exe
Token: SeSyncAgentPrivilege	1752	msiexec.exe
Token: SeEnableDelegationPrivilege	1752	msiexec.exe
Token: SeManageVolumePrivilege	1752	msiexec.exe
Token: SeImpersonatePrivilege	1752	msiexec.exe
Token: SeCreateGlobalPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1724	vssvc.exe
Token: SeRestorePrivilege	1724	vssvc.exe
Token: SeAuditPrivilege	1724	vssvc.exe
Token: SeBackupPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1752	msiexec.exe
1752	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 968	3824	msiexec.exe	92
PID 3824 wrote to memory of 968	3824	msiexec.exe	92
PID 3824 wrote to memory of 456	3824	msiexec.exe	94
PID 3824 wrote to memory of 456	3824	msiexec.exe	94
PID 3824 wrote to memory of 2636	3824	msiexec.exe	95
PID 3824 wrote to memory of 2636	3824	msiexec.exe	95
PID 2636 wrote to memory of 1276	2636	regsvr32.exe	96
PID 2636 wrote to memory of 1276	2636	regsvr32.exe	96
PID 2636 wrote to memory of 1276	2636	regsvr32.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:968
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:456
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
727B

MD5
7928c3688d855f9c7c83bb0533fdc463

SHA1
d8bd219cd2b4b5d92b9f33ad8f5d4f7469f78755

SHA256
8b4f7f9bfba7694bba0f73951f1a50e64d3cea560b18c9bb63366abfc0d0cd0a

SHA512
b6df399bdfa2a122dac8206b770faf9fc2af136bff614eaa43b7f134a4a0716165c87e984305471f56b07338faba078386a4efccd4df06375ada74c79303ec82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
dbd0ea3109b08b1c543287c52f386fa2

SHA1
f062abf3894c0a5dddb21b19782466db11ead513

SHA256
d32d6c2ddd4165ff710d503cd874aa96a7c45a74d08b98eb6ba6e1f8ce86bc18

SHA512
f2a56b17c9562fe6fa4e8f91a7aca9f1c29053ea0fe26be109b6e0ba99bac756dc4e2d27b2c7c98e60008c8e4ff4c87ff063f4f4272dfb59436f56de14fb3555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
219561d20ab64dfdeb93e5e6229e29b4

SHA1
6da7f8c670468ca4bcf46870e3aa0a076eebe894

SHA256
de87aaa67e35660a59292f7a73a8fa5a1998ded1a311800546b949a5c48f3cd7

SHA512
635c7945783eb55d4cd3bb278edff77be80db43e943f397c75ab16e87a30765048fb5e89aa36cf90e1471168ca37f98917783e36baad9cd9a999d8e9a6f04d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
ed54c691db65802f4faa072478dfacc8

SHA1
fecf972e4eb58463b89042b598fe56f7952de0c3

SHA256
2f667338dcf1902b44c005d9b88d9e07054ae5e421ee3041d9d1557e7ad00cbe

SHA512
b9f4329d34f3c1398b0072e18fd5562955fcdb8031956e9d0524870510803323e08c1df040e29771067ca4a6d7ceb4f73ea5c328093855c8d9f2d1debacc3c92

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1c5a0d343167085442299c29f3d88056

SHA1
3815625d50b7c9290c4bf424e356c332e6dd295b

SHA256
8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

SHA512
1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
1c5a0d343167085442299c29f3d88056

SHA1
3815625d50b7c9290c4bf424e356c332e6dd295b

SHA256
8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef

SHA512
1fccb5cdddc5e0ea6eaaa55e491264a92eb60ccc66f462398854a0e389b0a0896753e3505d17a78f86b476576b999f25835853633e6d94ca40b17e0899dbf3f9

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
bd2e4d8c3cbe5265cbe440daf888f2c6

SHA1
4aaa0f7817aac2fedabe19bb94fe350d95ddfe66

SHA256
357b1266aee0cdd0b68bf08c25ecdf17b459bb4567aa209e65e9df82b41f622a

SHA512
1b6118893923280fdcbcddaed5e7f5d27e9f1e0731cdd0b2f8e206dd8e72bb5cb0504db845d4a0459ca75b47be08f5130b3706f7e6650653bf210ff6d60651cb

Download Submit
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{78e0f02b-2b10-408a-8c25-d9670998485d}_OnDiskSnapshotProp

Filesize
5KB

MD5
5bdd7e4c00616ae617bc278e78709b45

SHA1
cdb1a65400cc3c92582a3e03ea3b0a8cf8a28950

SHA256
f8cb4bb4a04974f03f943572038b7c28304fc3f8efeb560f37f5b0cab1df6c41

SHA512
e23949221d8f09b51fa05dade5f837a4efe6ee538082ae5f59306de7d5f4c9c53bd5d56fb6d2b51c799d804345ff1a335c12d675ca50347599ec90cad9f39e73

Download Submit