matanbuchus | 3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051

General

Target

db.msi
Size

992KB
MD5

1b43d95fd338cf086f37372314aa6b62
SHA1

b464fe581b4411eca737a3814ad867cd3271e394
SHA256

3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051
SHA512

6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1276 regsvr32.exe

pid	process
1276	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIEA65.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e8f0.msi	msiexec.exe
File created	C:\Windows\Installer\e56e8ee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e8ee.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A4307286-F53F-4688-AE2C-4583461679F1}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066bbc37791d732ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066bbc3770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090066bbc377000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exe

pid process

860 msiexec.exe
860 msiexec.exe
860 msiexec.exe

pid	process
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3500	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeCreateTokenPrivilege	3500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3500	msiexec.exe
Token: SeLockMemoryPrivilege	3500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3500	msiexec.exe
Token: SeMachineAccountPrivilege	3500	msiexec.exe
Token: SeTcbPrivilege	3500	msiexec.exe
Token: SeSecurityPrivilege	3500	msiexec.exe
Token: SeTakeOwnershipPrivilege	3500	msiexec.exe
Token: SeLoadDriverPrivilege	3500	msiexec.exe
Token: SeSystemProfilePrivilege	3500	msiexec.exe
Token: SeSystemtimePrivilege	3500	msiexec.exe
Token: SeProfSingleProcessPrivilege	3500	msiexec.exe
Token: SeIncBasePriorityPrivilege	3500	msiexec.exe
Token: SeCreatePagefilePrivilege	3500	msiexec.exe
Token: SeCreatePermanentPrivilege	3500	msiexec.exe
Token: SeBackupPrivilege	3500	msiexec.exe
Token: SeRestorePrivilege	3500	msiexec.exe
Token: SeShutdownPrivilege	3500	msiexec.exe
Token: SeDebugPrivilege	3500	msiexec.exe
Token: SeAuditPrivilege	3500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3500	msiexec.exe
Token: SeChangeNotifyPrivilege	3500	msiexec.exe
Token: SeRemoteShutdownPrivilege	3500	msiexec.exe
Token: SeUndockPrivilege	3500	msiexec.exe
Token: SeSyncAgentPrivilege	3500	msiexec.exe
Token: SeEnableDelegationPrivilege	3500	msiexec.exe
Token: SeManageVolumePrivilege	3500	msiexec.exe
Token: SeImpersonatePrivilege	3500	msiexec.exe
Token: SeCreateGlobalPrivilege	3500	msiexec.exe
Token: SeBackupPrivilege	816	vssvc.exe
Token: SeRestorePrivilege	816	vssvc.exe
Token: SeAuditPrivilege	816	vssvc.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3500 msiexec.exe
3500 msiexec.exe

pid	process
3500	msiexec.exe
3500	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exeregsvr32.exe

description	pid	process	target process
PID 860 wrote to memory of 3328	860	msiexec.exe	srtasks.exe
PID 860 wrote to memory of 3328	860	msiexec.exe	srtasks.exe
PID 860 wrote to memory of 5024	860	msiexec.exe	regsvr32.exe
PID 860 wrote to memory of 5024	860	msiexec.exe	regsvr32.exe
PID 5024 wrote to memory of 1276	5024	regsvr32.exe	regsvr32.exe
PID 5024 wrote to memory of 1276	5024	regsvr32.exe	regsvr32.exe
PID 5024 wrote to memory of 1276	5024	regsvr32.exe	regsvr32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3328
- \??\c:\windows\system32\regsvr32.exe
  c:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
    3⤵
    - Loads dropped DLL
    PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic

Filesize
2.5MB

MD5
64a2807bc1385ee99c892012ed0a62bf

SHA1
1d21c43b582ca6ad77714c05976fe5827f028bd0

SHA256
e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

SHA512
78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

Download Submit
C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic

Filesize
2.5MB

MD5
64a2807bc1385ee99c892012ed0a62bf

SHA1
1d21c43b582ca6ad77714c05976fe5827f028bd0

SHA256
e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

SHA512
78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0b58c90bd3d3283a65da38f484ac7d36

SHA1
22fff542984bf4fef37e1b5334555ec2f2888faa

SHA256
e6860550dd60deed70cec07f557187f8a238458e7715e6715207e27a8153f7fa

SHA512
c005822082b8b44ec1d6f07b1eb973200743bf127eb678eb18cb7e5619e8a61033dbea54aeb0360b9baa47ac1506462559cadc6117629a52e1f09ab4cc687164

Download Submit
\??\Volume{77c3bb66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ee4fa9c4-b6e3-4d2a-b313-5715f9a77494}_OnDiskSnapshotProp

Filesize
5KB

MD5
0d0cfc946aa33d51cd9a4683b525f0c4

SHA1
07dbf8f2eed94795904fd91dccb6bd2a8d53a952

SHA256
81698d1128f8264f635019631867b3474257bf0acbce71f6b8dc3019a2cc2089

SHA512
a27f4e0de2625159f3170a55f8e5478dd21ead51eef03dfb6f23ff99ccae623e9a3ce5d7e420e894a452630ee355995a3905c3812f81e3a6eaec6a006bb49eb5

Download Submit
memory/1276-133-0x0000000000000000-mapping.dmp

Download
memory/1276-135-0x0000000002900000-0x0000000002AC7000-memory.dmp

Filesize
1.8MB

Download
memory/1276-136-0x0000000002AD0000-0x0000000002B4B000-memory.dmp

Filesize
492KB

Download
memory/3328-130-0x0000000000000000-mapping.dmp

Download
memory/5024-131-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads