Analysis

  • max time kernel
    135s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 11:36

General

  • Target

    face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666.msi

  • Size

    224KB

  • MD5

    ff82937564ff59eb6207f079cdc8e43d

  • SHA1

    7cfe0a71c4a2508a1af80e640ec8b1b034edb604

  • SHA256

    face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666

  • SHA512

    4c4c2f59ef157de6570bf16daff958d9ccdafd8ba6cf3f946cabaa413c085c05242b2499552e789f0f0bc9e1cbf0b74ec6327340d29c80a694aeddf444788ee1

Score
10/10

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1684
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1968
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          3⤵
          • Loads dropped DLL
          PID:1724
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "0000000000000394"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

      Filesize

      1KB

      MD5

      78f2fcaa601f2fb4ebc937ba532e7549

      SHA1

      ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

      SHA256

      552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

      SHA512

      bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      304B

      MD5

      fc059883703b9182ca41ea313cad2fda

      SHA1

      9e0a956d4e9f5544c1e5f6f5156dfe01546467ed

      SHA256

      9aefba37b067a89fbc5d66aef731d26fbb56e75a80f9be62d44cf79361c4ea26

      SHA512

      8ab8e6ef5d3c7e015b062c45c13d8ad1254d9a105a9786881881ea163c906a8a65c0dfc40bee4eceef87dfb42320bbe4c8cc14460c73aaa2de374af0169ddad1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

      Filesize

      254B

      MD5

      087b762a89db5950ddf5efe229eb42cf

      SHA1

      3b13e66c1453378bd389108c14713fb74824fa21

      SHA256

      b059509172760bd7d94a4e9867ae6acbc012b30734ff109d7088dcb540410d8f

      SHA512

      42cc59334b90e1bc6e7828f50bfa95d4a36cdd7aecfce0f100f39dad9bb5c120caf8e807a5ba0742a5f800eae4202702e91dfcd608852e741ea92d9bf0d1b772

    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

      Filesize

      401KB

      MD5

      8cb8cf84ab20159702e6803cd6ce364a

      SHA1

      05103f90540f3e8a9599e9f1ab6a11c791aec393

      SHA256

      14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

      SHA512

      9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll

      Filesize

      401KB

      MD5

      8cb8cf84ab20159702e6803cd6ce364a

      SHA1

      05103f90540f3e8a9599e9f1ab6a11c791aec393

      SHA256

      14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

      SHA512

      9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

    • memory/1684-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

      Filesize

      8KB

    • memory/1724-66-0x0000000074F91000-0x0000000074F93000-memory.dmp

      Filesize

      8KB