Overview

overview

10

Static

static

db.msi

windows7_x64

10

db.msi

windows10-2004_x64

10

Resubmissions

14-07-2022 12:37

220714-ptre8sbbb2 10

30-06-2022 22:59

220630-2ydfdsbhdj 10

Analysis

  • max time kernel
    143s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-06-2022 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db.msi

  • Size

    992KB

  • MD5

    1b43d95fd338cf086f37372314aa6b62

  • SHA1

    b464fe581b4411eca737a3814ad867cd3271e394

  • SHA256

    3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051

  • SHA512

    6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b

Score
10/10
matanbuchusloader

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:528
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:992
    • \??\c:\windows\system32\regsvr32.exe
      c:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
        3⤵
        • Loads dropped DLL
        PID:1808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1104
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003F0" "00000000000002B0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1424

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic
    Filesize

    2.5MB

    MD5

    64a2807bc1385ee99c892012ed0a62bf

    SHA1

    1d21c43b582ca6ad77714c05976fe5827f028bd0

    SHA256

    e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

    SHA512

    78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    Download Submit

  • \Users\Admin\AppData\Local\AdobeStockClient\ado.lic
    Filesize

    2.5MB

    MD5

    64a2807bc1385ee99c892012ed0a62bf

    SHA1

    1d21c43b582ca6ad77714c05976fe5827f028bd0

    SHA256

    e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

    SHA512

    78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    Download Submit

  • memory/528-54-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1696-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-60-0x00000000755C1000-0x00000000755C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1808-63-0x00000000022E0000-0x000000000235B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1808-62-0x00000000022E0000-0x000000000235B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1808-64-0x0000000002110000-0x00000000022D7000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1808-65-0x00000000022E0000-0x000000000235B000-memory.dmp

    Filesize

    492KB

    Download