matanbuchus | 0892bb5240b7208884c2ae06c38e79150e52ff6df2659c8239762451685174ad

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-06-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666.msi
Size

224KB
MD5

ff82937564ff59eb6207f079cdc8e43d
SHA1

7cfe0a71c4a2508a1af80e640ec8b1b034edb604
SHA256

face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666
SHA512

4c4c2f59ef157de6570bf16daff958d9ccdafd8ba6cf3f946cabaa413c085c05242b2499552e789f0f0bc9e1cbf0b74ec6327340d29c80a694aeddf444788ee1

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus
Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exe

flow pid process

3 2076 msiexec.exe
21 2076 msiexec.exe
22 2076 msiexec.exe
24 2076 msiexec.exe
26 2076 msiexec.exe
27 2076 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1280 regsvr32.exe

flow	pid	process
3	2076	msiexec.exe
21	2076	msiexec.exe
22	2076	msiexec.exe
24	2076	msiexec.exe
26	2076	msiexec.exe
27	2076	msiexec.exe

pid	process
1280	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D20C245F-321F-453F-8139-C938C6F031A3}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5091.tmp	msiexec.exe
File created	C:\Windows\Installer\e574f2b.msi	msiexec.exe
File created	C:\Windows\Installer\e574f29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574f29.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2136 msiexec.exe
2136 msiexec.exe

pid	process
2136	msiexec.exe
2136	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2076	msiexec.exe
Token: SeLockMemoryPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeMachineAccountPrivilege	2076	msiexec.exe
Token: SeTcbPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeLoadDriverPrivilege	2076	msiexec.exe
Token: SeSystemProfilePrivilege	2076	msiexec.exe
Token: SeSystemtimePrivilege	2076	msiexec.exe
Token: SeProfSingleProcessPrivilege	2076	msiexec.exe
Token: SeIncBasePriorityPrivilege	2076	msiexec.exe
Token: SeCreatePagefilePrivilege	2076	msiexec.exe
Token: SeCreatePermanentPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeDebugPrivilege	2076	msiexec.exe
Token: SeAuditPrivilege	2076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2076	msiexec.exe
Token: SeChangeNotifyPrivilege	2076	msiexec.exe
Token: SeRemoteShutdownPrivilege	2076	msiexec.exe
Token: SeUndockPrivilege	2076	msiexec.exe
Token: SeSyncAgentPrivilege	2076	msiexec.exe
Token: SeEnableDelegationPrivilege	2076	msiexec.exe
Token: SeManageVolumePrivilege	2076	msiexec.exe
Token: SeImpersonatePrivilege	2076	msiexec.exe
Token: SeCreateGlobalPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeBackupPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2076 msiexec.exe
2076 msiexec.exe

pid	process
2076	msiexec.exe
2076	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exeregsvr32.exe

description	pid	process	target process
PID 2136 wrote to memory of 3360	2136	msiexec.exe	srtasks.exe
PID 2136 wrote to memory of 3360	2136	msiexec.exe	srtasks.exe
PID 2136 wrote to memory of 4408	2136	msiexec.exe	wscript.exe
PID 2136 wrote to memory of 4408	2136	msiexec.exe	wscript.exe
PID 2136 wrote to memory of 4656	2136	msiexec.exe	regsvr32.exe
PID 2136 wrote to memory of 4656	2136	msiexec.exe	regsvr32.exe
PID 4656 wrote to memory of 1280	4656	regsvr32.exe	regsvr32.exe
PID 4656 wrote to memory of 1280	4656	regsvr32.exe	regsvr32.exe
PID 4656 wrote to memory of 1280	4656	regsvr32.exe	regsvr32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3360
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:4408
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:1280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
746B

MD5
e30c69dbc37e0c93a657ff2bc27d7871

SHA1
af366ce48de699b15af619dfa24c3e04574ce990

SHA256
142a21441244e396d2fbad220f666f8e354164e0c9d1c1ec2fe7aab4bc6a1ab5

SHA512
1d49c00078dabd6b9d75cdbe502797e5298dd2ea2514ef9db1b1a9b7ad69733583876803b7aeabb7cccce70f006e7977bce541e2ebe9fd2b46e725346453b517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

Filesize
737B

MD5
a1a1a3c0e1e0afd2e8c5d056f6cd06de

SHA1
7499e4b3832b57b5ee66c60249d8597892b01114

SHA256
8dddb78109ecb0a84335e709ddf53bb060bd4719a903a4651b77cc2f2dff00ca

SHA512
74e4ec5c8e05654931429e5feccc822702ef20531f0d6204059780f15a9fef359bce0d2c3acf9734766efe5fb048ad7d3bdf9908fce99d4c6dab4cee8f18889a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
31d3ffb09db8afbe70fca02378f255cc

SHA1
55127cba86b01596e83db50befdb08503f6016e6

SHA256
7d2e439aa7350776903ac2078a312aa50e34529cd148c678a2f9fabc4ff2ce77

SHA512
b3b33c8c4d4f532bdcda5045ab10c9a4b2c8a7ba92b384d9e37fcb420a14866ef815638f9985c7bb5995d0d0217eb673db6996a2cbca9e6e99b7682f2290964b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

Filesize
244B

MD5
55821ac0b7e6249dcbeb6738b515bfd6

SHA1
f7c1f075c3c1c29c30f2f55fe926355535c383ac

SHA256
a71cc569929019bf0be0ad68188e44a13802a2da797cf3ceb8d30987b764d40f

SHA512
ed87c373201203dc9b00f22e3e560c3effefa2953503fda2f6ada7d42631f01676beeb0633985b94f1df8c18bae868025fa3743d612bdd8e59edb59b690ba4d7

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
c051eca6feda10d201aec7b79014a5b4

SHA1
6621e7f579f4530ba7a1f285590bce7e59566fe8

SHA256
5426ed9e7de96ebca9ec610d3864a95c3b50efb8ddebccdc767fd1a8c7f8e855

SHA512
b6534f666330512653d6b1e21f4f2b122ba58e40142f97c5f9c8d29f393b5f27faacdda457f818afb3ccabf1e31186aa814b0aefb6d1f2c08fd92ebc794053f7

Download Submit
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{afc40199-7675-4fbd-82d3-c17212cc0790}_OnDiskSnapshotProp

Filesize
5KB

MD5
13ed2610d4ec4b6ad100a0933442fa39

SHA1
dab5af7f37396de5f27344dd57c3c32fdfccdf35

SHA256
eb6c81f9d58b4857805efaed69f42215a341cb6ce51b4d1e96f2b2caefa081ee

SHA512
365c6bed99560f91ac5ed2b0e737f9c7a926d3599ac31d5049b62ace4cbf953eb9c62596efcce758f1a10a550bf68bdbdc5cae2e665054d0a8459812b30eae70

Download Submit
memory/1280-139-0x0000000000000000-mapping.dmp

Download
memory/3360-130-0x0000000000000000-mapping.dmp

Download
memory/4408-135-0x0000000000000000-mapping.dmp

Download
memory/4656-136-0x0000000000000000-mapping.dmp

Download