matanbuchus | 7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9

Analysis

max time kernel
137s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
Size

224KB
MD5

6892679f8a4b438c582c9954e15acd19
SHA1

546bae92165363acd3e0aaef964cc02ec2a2e67d
SHA256

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9
SHA512

064ece5fe73a356d9078e13134288e144288bd9e9d8d06cdd72f3aaf4cc9d397b5443be67e2d07f78a282d875187a9679e19506ae580d84c9a44142da366f108

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	4740	msiexec.exe
7	4740	msiexec.exe
8	4740	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
4916	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e570b79.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DE752295-3E8B-4F28-BC4B-D4ABF43F1329}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAC.tmp	msiexec.exe
File created	C:\Windows\Installer\e570b7b.msi	msiexec.exe
File created	C:\Windows\Installer\e570b79.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4200	msiexec.exe
4200	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4740	msiexec.exe
Token: SeSecurityPrivilege	4200	msiexec.exe
Token: SeCreateTokenPrivilege	4740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4740	msiexec.exe
Token: SeLockMemoryPrivilege	4740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4740	msiexec.exe
Token: SeMachineAccountPrivilege	4740	msiexec.exe
Token: SeTcbPrivilege	4740	msiexec.exe
Token: SeSecurityPrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeLoadDriverPrivilege	4740	msiexec.exe
Token: SeSystemProfilePrivilege	4740	msiexec.exe
Token: SeSystemtimePrivilege	4740	msiexec.exe
Token: SeProfSingleProcessPrivilege	4740	msiexec.exe
Token: SeIncBasePriorityPrivilege	4740	msiexec.exe
Token: SeCreatePagefilePrivilege	4740	msiexec.exe
Token: SeCreatePermanentPrivilege	4740	msiexec.exe
Token: SeBackupPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeShutdownPrivilege	4740	msiexec.exe
Token: SeDebugPrivilege	4740	msiexec.exe
Token: SeAuditPrivilege	4740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4740	msiexec.exe
Token: SeChangeNotifyPrivilege	4740	msiexec.exe
Token: SeRemoteShutdownPrivilege	4740	msiexec.exe
Token: SeUndockPrivilege	4740	msiexec.exe
Token: SeSyncAgentPrivilege	4740	msiexec.exe
Token: SeEnableDelegationPrivilege	4740	msiexec.exe
Token: SeManageVolumePrivilege	4740	msiexec.exe
Token: SeImpersonatePrivilege	4740	msiexec.exe
Token: SeCreateGlobalPrivilege	4740	msiexec.exe
Token: SeBackupPrivilege	1540	vssvc.exe
Token: SeRestorePrivilege	1540	vssvc.exe
Token: SeAuditPrivilege	1540	vssvc.exe
Token: SeBackupPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4740	msiexec.exe
4740	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 648	4200	msiexec.exe	94
PID 4200 wrote to memory of 648	4200	msiexec.exe	94
PID 4200 wrote to memory of 3680	4200	msiexec.exe	96
PID 4200 wrote to memory of 3680	4200	msiexec.exe	96
PID 4200 wrote to memory of 4780	4200	msiexec.exe	97
PID 4200 wrote to memory of 4780	4200	msiexec.exe	97
PID 4780 wrote to memory of 4916	4780	regsvr32.exe	98
PID 4780 wrote to memory of 4916	4780	regsvr32.exe	98
PID 4780 wrote to memory of 4916	4780	regsvr32.exe	98

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:648
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:3680
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:4916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
727B

MD5
7928c3688d855f9c7c83bb0533fdc463

SHA1
d8bd219cd2b4b5d92b9f33ad8f5d4f7469f78755

SHA256
8b4f7f9bfba7694bba0f73951f1a50e64d3cea560b18c9bb63366abfc0d0cd0a

SHA512
b6df399bdfa2a122dac8206b770faf9fc2af136bff614eaa43b7f134a4a0716165c87e984305471f56b07338faba078386a4efccd4df06375ada74c79303ec82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
dbd0ea3109b08b1c543287c52f386fa2

SHA1
f062abf3894c0a5dddb21b19782466db11ead513

SHA256
d32d6c2ddd4165ff710d503cd874aa96a7c45a74d08b98eb6ba6e1f8ce86bc18

SHA512
f2a56b17c9562fe6fa4e8f91a7aca9f1c29053ea0fe26be109b6e0ba99bac756dc4e2d27b2c7c98e60008c8e4ff4c87ff063f4f4272dfb59436f56de14fb3555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
f81c813fbe7cac0a7ac61f78bb786a5d

SHA1
a44b9089c8760b6ae70c9c12f3d50e5f15078728

SHA256
92dea2be8a9e8505a0173fbe13beb6c19f05cf8eece47706cba04e8fd4571dde

SHA512
6ba9a76d09916f10427f52d125a4f983d6a428a3eb8b874d433252f7b04c396d814f22389f666cfeae013d469f8c81766a1310a8ae1684d412448ed21a4896ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
96f699fd897ca977b4ab8641f8e86b93

SHA1
7a71c421c133fa9cfed4f75eb0d9d0b380e60a0d

SHA256
090c35b407f5c1bad82c9174eb81432f31dde8919bbdc9d9500b28991d559bd2

SHA512
25d1eef1ddb6a68e00000d8c8be9d77da8e35b584c0ed992032d4c5772a0b86064086cc511cbb318af3bc7fb0e182ee3c23bbbcde0972c9d5cfa82b8b16fc4c6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
48e4ae62bba13b2af43df67ff495636a

SHA1
58e5749300cae9410708ca45b37a7a338216406f

SHA256
3406a29232e0c0f7f347f7d915937d9e722e57de94e5dfccf31fb610c49686a6

SHA512
5ef984c5fcd6e13978f9349083d8a2b9b89f13fed61b402b43db9c0e6b10a62a1d0b233ca0dba767d3b9470a7bd612dbd76a834ac6df7fe66171c477fd4dd2ef

Download Submit
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e8830194-6b20-4efd-8362-7f2e19f1c120}_OnDiskSnapshotProp

Filesize
5KB

MD5
8c238fd236f5dd53c8987b9b71930d82

SHA1
ead4e906ff69813b4332ae658bee7188453513cf

SHA256
016ef73b26db323e45ad32bf7e3c0aa206f0ba5bddb901a3e77f19475d677148

SHA512
4f795a64494ed48307114540b4c4da2d314d0206b47e3f0d458b0d665887578bfe5c6d06c29b7a3ca647f6e7ba44d027dd6ff53cdba7f7745e071e49ef3b7f61

Download Submit