Analysis
-
max time kernel
143s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
db.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
db.msi
Resource
win10v2004-20220414-en
General
-
Target
db.msi
-
Size
992KB
-
MD5
1b43d95fd338cf086f37372314aa6b62
-
SHA1
b464fe581b4411eca737a3814ad867cd3271e394
-
SHA256
3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051
-
SHA512
6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Loads dropped DLL 1 IoCs
pid Process 1808 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\6c4a4d.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\6c4a4a.msi msiexec.exe File created C:\Windows\Installer\6c4a4b.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4CAB.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c4a4a.msi msiexec.exe File opened for modification C:\Windows\Installer\6c4a4b.ipi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 992 msiexec.exe 992 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 528 msiexec.exe Token: SeIncreaseQuotaPrivilege 528 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeSecurityPrivilege 992 msiexec.exe Token: SeCreateTokenPrivilege 528 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 528 msiexec.exe Token: SeLockMemoryPrivilege 528 msiexec.exe Token: SeIncreaseQuotaPrivilege 528 msiexec.exe Token: SeMachineAccountPrivilege 528 msiexec.exe Token: SeTcbPrivilege 528 msiexec.exe Token: SeSecurityPrivilege 528 msiexec.exe Token: SeTakeOwnershipPrivilege 528 msiexec.exe Token: SeLoadDriverPrivilege 528 msiexec.exe Token: SeSystemProfilePrivilege 528 msiexec.exe Token: SeSystemtimePrivilege 528 msiexec.exe Token: SeProfSingleProcessPrivilege 528 msiexec.exe Token: SeIncBasePriorityPrivilege 528 msiexec.exe Token: SeCreatePagefilePrivilege 528 msiexec.exe Token: SeCreatePermanentPrivilege 528 msiexec.exe Token: SeBackupPrivilege 528 msiexec.exe Token: SeRestorePrivilege 528 msiexec.exe Token: SeShutdownPrivilege 528 msiexec.exe Token: SeDebugPrivilege 528 msiexec.exe Token: SeAuditPrivilege 528 msiexec.exe Token: SeSystemEnvironmentPrivilege 528 msiexec.exe Token: SeChangeNotifyPrivilege 528 msiexec.exe Token: SeRemoteShutdownPrivilege 528 msiexec.exe Token: SeUndockPrivilege 528 msiexec.exe Token: SeSyncAgentPrivilege 528 msiexec.exe Token: SeEnableDelegationPrivilege 528 msiexec.exe Token: SeManageVolumePrivilege 528 msiexec.exe Token: SeImpersonatePrivilege 528 msiexec.exe Token: SeCreateGlobalPrivilege 528 msiexec.exe Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe Token: SeBackupPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 1424 DrvInst.exe Token: SeLoadDriverPrivilege 1424 DrvInst.exe Token: SeLoadDriverPrivilege 1424 DrvInst.exe Token: SeLoadDriverPrivilege 1424 DrvInst.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe Token: SeTakeOwnershipPrivilege 992 msiexec.exe Token: SeRestorePrivilege 992 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 528 msiexec.exe 528 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 992 wrote to memory of 1696 992 msiexec.exe 32 PID 992 wrote to memory of 1696 992 msiexec.exe 32 PID 992 wrote to memory of 1696 992 msiexec.exe 32 PID 992 wrote to memory of 1696 992 msiexec.exe 32 PID 992 wrote to memory of 1696 992 msiexec.exe 32 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33 PID 1696 wrote to memory of 1808 1696 regsvr32.exe 33
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:528
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\windows\system32\regsvr32.exec:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"3⤵
- Loads dropped DLL
PID:1808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003F0" "00000000000002B0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1