Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
db.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
db.msi
Resource
win10v2004-20220414-en
General
-
Target
db.msi
-
Size
992KB
-
MD5
1b43d95fd338cf086f37372314aa6b62
-
SHA1
b464fe581b4411eca737a3814ad867cd3271e394
-
SHA256
3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051
-
SHA512
6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Loads dropped DLL 1 IoCs
pid Process 1276 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEA65.tmp msiexec.exe File created C:\Windows\Installer\e56e8f0.msi msiexec.exe File created C:\Windows\Installer\e56e8ee.msi msiexec.exe File opened for modification C:\Windows\Installer\e56e8ee.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{A4307286-F53F-4688-AE2C-4583461679F1} msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066bbc37791d732ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066bbc3770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090066bbc377000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 860 msiexec.exe 860 msiexec.exe 860 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3500 msiexec.exe Token: SeIncreaseQuotaPrivilege 3500 msiexec.exe Token: SeSecurityPrivilege 860 msiexec.exe Token: SeCreateTokenPrivilege 3500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3500 msiexec.exe Token: SeLockMemoryPrivilege 3500 msiexec.exe Token: SeIncreaseQuotaPrivilege 3500 msiexec.exe Token: SeMachineAccountPrivilege 3500 msiexec.exe Token: SeTcbPrivilege 3500 msiexec.exe Token: SeSecurityPrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeLoadDriverPrivilege 3500 msiexec.exe Token: SeSystemProfilePrivilege 3500 msiexec.exe Token: SeSystemtimePrivilege 3500 msiexec.exe Token: SeProfSingleProcessPrivilege 3500 msiexec.exe Token: SeIncBasePriorityPrivilege 3500 msiexec.exe Token: SeCreatePagefilePrivilege 3500 msiexec.exe Token: SeCreatePermanentPrivilege 3500 msiexec.exe Token: SeBackupPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeShutdownPrivilege 3500 msiexec.exe Token: SeDebugPrivilege 3500 msiexec.exe Token: SeAuditPrivilege 3500 msiexec.exe Token: SeSystemEnvironmentPrivilege 3500 msiexec.exe Token: SeChangeNotifyPrivilege 3500 msiexec.exe Token: SeRemoteShutdownPrivilege 3500 msiexec.exe Token: SeUndockPrivilege 3500 msiexec.exe Token: SeSyncAgentPrivilege 3500 msiexec.exe Token: SeEnableDelegationPrivilege 3500 msiexec.exe Token: SeManageVolumePrivilege 3500 msiexec.exe Token: SeImpersonatePrivilege 3500 msiexec.exe Token: SeCreateGlobalPrivilege 3500 msiexec.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe Token: SeBackupPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe Token: SeTakeOwnershipPrivilege 860 msiexec.exe Token: SeRestorePrivilege 860 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3500 msiexec.exe 3500 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 860 wrote to memory of 3328 860 msiexec.exe 93 PID 860 wrote to memory of 3328 860 msiexec.exe 93 PID 860 wrote to memory of 5024 860 msiexec.exe 95 PID 860 wrote to memory of 5024 860 msiexec.exe 95 PID 5024 wrote to memory of 1276 5024 regsvr32.exe 96 PID 5024 wrote to memory of 1276 5024 regsvr32.exe 96 PID 5024 wrote to memory of 1276 5024 regsvr32.exe 96
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3328
-
-
\??\c:\windows\system32\regsvr32.exec:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"3⤵
- Loads dropped DLL
PID:1276
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1
-
Filesize
23.0MB
MD50b58c90bd3d3283a65da38f484ac7d36
SHA122fff542984bf4fef37e1b5334555ec2f2888faa
SHA256e6860550dd60deed70cec07f557187f8a238458e7715e6715207e27a8153f7fa
SHA512c005822082b8b44ec1d6f07b1eb973200743bf127eb678eb18cb7e5619e8a61033dbea54aeb0360b9baa47ac1506462559cadc6117629a52e1f09ab4cc687164
-
\??\Volume{77c3bb66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ee4fa9c4-b6e3-4d2a-b313-5715f9a77494}_OnDiskSnapshotProp
Filesize5KB
MD50d0cfc946aa33d51cd9a4683b525f0c4
SHA107dbf8f2eed94795904fd91dccb6bd2a8d53a952
SHA25681698d1128f8264f635019631867b3474257bf0acbce71f6b8dc3019a2cc2089
SHA512a27f4e0de2625159f3170a55f8e5478dd21ead51eef03dfb6f23ff99ccae623e9a3ce5d7e420e894a452630ee355995a3905c3812f81e3a6eaec6a006bb49eb5