Overview

overview

10

Static

static

SCAN-026764.pdf.msi

windows7_x64

10

SCAN-026764.pdf.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    295s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCAN-026764.pdf.msi

  • Size

    224KB

  • MD5

    d6a0e1a37a73098a9a7839b137521fe0

  • SHA1

    8f0c2d9bdbd1fca8b84cd2cc625607547036d8e6

  • SHA256

    e22ec74cd833a85882d5a8e76fa3b35daff0b7390bfbcd6b1ab270fd3741ceea

  • SHA512

    0ca3e6839950b0094d1c95647308ceab713ad23e69c73b10156ad4fef4c3f718c76ad5558260f89da84d2a2cd4b53e63a3cb9bc87d2fb47d580a36c9170b9653

Score
10/10
matanbuchusloadersuricata

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • suricata: ET MALWARE Matanbuchus Loader CnC M1

    suricata: ET MALWARE Matanbuchus Loader CnC M1

    suricata
  • suricata: ET MALWARE Matanbuchus Loader CnC M3

    suricata: ET MALWARE Matanbuchus Loader CnC M3

    suricata
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-026764.pdf.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1048
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1444
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          3⤵
          • Loads dropped DLL
          PID:1244
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000004A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {BDD76BE8-B564-4B21-91F9-0DFE8B095CD5} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe -n -i:"UpdateСheck" "C:\Users\Admin\AppData\Local\x86\3d02.nls"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"UpdateСheck" "C:\Users\Admin\AppData\Local\x86\3d02.nls"
          3⤵
          • Loads dropped DLL
          PID:976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      1KB

      MD5

      78f2fcaa601f2fb4ebc937ba532e7549

      SHA1

      ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

      SHA256

      552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

      SHA512

      bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7df84293d5426123e15fc11f9b2e82ec

      SHA1

      6a4a77f5652f2d8c7c6c50c6d435a0e394e3d98b

      SHA256

      c208c08fc03d9ac80f67a4fa4c2c188b023e6dd3e43fb503b6cf89c9174ba71a

      SHA512

      6924066d41c1785ea3de8cfd72d4407c914440e0cb2e1701356e994ff7dcc044e2a32c52c862a3cf649a0a0bf65ea8e43765b440f5535bb10a6aa05bba4c066f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6118d1e12d8415aa494a6136c8398697

      SHA1

      c0d9664b512727b4de0f3b30b1b99613f3a0bb98

      SHA256

      b70c5d2a085d5466fe3c4c1454db4ddc2430ffd2a9ae9152c92f0fb7b990007c

      SHA512

      accab0a34697c0c202bc39c643fd84977a536a3cee60d4dd53763aab0542ca7fbc04203877bc2c30bae3f6f38a2c402dbf77493462ac89432650f05ca21ffabf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
      Filesize

      254B

      MD5

      db3307b8c0bc4938312eac0d2a67b3ed

      SHA1

      433289a23ef6f44e9d18a22a64d99df242781474

      SHA256

      405dc3e50e310ca70aee4c3968075f5b971bdee2f83b87ff688e6de7b5353655

      SHA512

      d9de47d8a0a3531761aeae496c509ee22f4396b0aa3ec6a45ccd8ce9ae72865fc76ef0666a12c0f7e3c93ecfa947065fdcd8a108d5ff701bf3482356abe0b99b

      Download Submit

    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      75ec49f612ed27b454a02f86f4f21c3d

      SHA1

      506d9139c7536541bb4cf59c4ad89626ef921e49

      SHA256

      4cb6877f25072af644fcf0a4d22893b5b00be691b5e21238a16073db9f1fb008

      SHA512

      743949ad1825ddeb2342d0425dfcaf748ac2cdf23b23910c372a679d1983c30a39080a67533794f716beb5aa5971b3c3dc4076375cab541abe534a567dc32141

      Download Submit

    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

      Download Submit

    • C:\Users\Admin\AppData\Local\x86\3d02.nls
      Filesize

      401KB

      MD5

      95159f5427c976d28c86aa716799e6de

      SHA1

      4bfbf8c48f17a7c7269dfc314e5e5bd166db857f

      SHA256

      f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e

      SHA512

      04af830cecd7ec8bf5d2f637a0e52036800d171f8d74f837648bd2129f8d19385fa46ae39c4cb0fc47c03aaa32d17f8739661d8b57b0d3d74532de29fc20f629

      Download Submit

    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      401KB

      MD5

      75ec49f612ed27b454a02f86f4f21c3d

      SHA1

      506d9139c7536541bb4cf59c4ad89626ef921e49

      SHA256

      4cb6877f25072af644fcf0a4d22893b5b00be691b5e21238a16073db9f1fb008

      SHA512

      743949ad1825ddeb2342d0425dfcaf748ac2cdf23b23910c372a679d1983c30a39080a67533794f716beb5aa5971b3c3dc4076375cab541abe534a567dc32141

      Download Submit

    • \Users\Admin\AppData\Local\x86\3d02.nls
      Filesize

      401KB

      MD5

      95159f5427c976d28c86aa716799e6de

      SHA1

      4bfbf8c48f17a7c7269dfc314e5e5bd166db857f

      SHA256

      f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e

      SHA512

      04af830cecd7ec8bf5d2f637a0e52036800d171f8d74f837648bd2129f8d19385fa46ae39c4cb0fc47c03aaa32d17f8739661d8b57b0d3d74532de29fc20f629

      Download Submit

    • memory/1048-54-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1244-69-0x000000007EEF0000-0x000000007EF87000-memory.dmp

      Filesize

      604KB

      Download

    • memory/1244-66-0x0000000075C51000-0x0000000075C53000-memory.dmp

      Filesize

      8KB

      Download