Resubmissions

14-07-2022 12:37

220714-ptre8sbbb2 10

30-06-2022 22:59

220630-2ydfdsbhdj 10

Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-06-2022 22:59

General

  • Target

    db.msi

  • Size

    992KB

  • MD5

    1b43d95fd338cf086f37372314aa6b62

  • SHA1

    b464fe581b4411eca737a3814ad867cd3271e394

  • SHA256

    3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051

  • SHA512

    6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b

Score
10/10

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3328
      • \??\c:\windows\system32\regsvr32.exe
        c:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5024
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
          3⤵
          • Loads dropped DLL
          PID:1276
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:816

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic

      Filesize

      2.5MB

      MD5

      64a2807bc1385ee99c892012ed0a62bf

      SHA1

      1d21c43b582ca6ad77714c05976fe5827f028bd0

      SHA256

      e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

      SHA512

      78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic

      Filesize

      2.5MB

      MD5

      64a2807bc1385ee99c892012ed0a62bf

      SHA1

      1d21c43b582ca6ad77714c05976fe5827f028bd0

      SHA256

      e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

      SHA512

      78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      0b58c90bd3d3283a65da38f484ac7d36

      SHA1

      22fff542984bf4fef37e1b5334555ec2f2888faa

      SHA256

      e6860550dd60deed70cec07f557187f8a238458e7715e6715207e27a8153f7fa

      SHA512

      c005822082b8b44ec1d6f07b1eb973200743bf127eb678eb18cb7e5619e8a61033dbea54aeb0360b9baa47ac1506462559cadc6117629a52e1f09ab4cc687164

    • \??\Volume{77c3bb66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ee4fa9c4-b6e3-4d2a-b313-5715f9a77494}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      0d0cfc946aa33d51cd9a4683b525f0c4

      SHA1

      07dbf8f2eed94795904fd91dccb6bd2a8d53a952

      SHA256

      81698d1128f8264f635019631867b3474257bf0acbce71f6b8dc3019a2cc2089

      SHA512

      a27f4e0de2625159f3170a55f8e5478dd21ead51eef03dfb6f23ff99ccae623e9a3ce5d7e420e894a452630ee355995a3905c3812f81e3a6eaec6a006bb49eb5

    • memory/1276-135-0x0000000002900000-0x0000000002AC7000-memory.dmp

      Filesize

      1.8MB

    • memory/1276-136-0x0000000002AD0000-0x0000000002B4B000-memory.dmp

      Filesize

      492KB