matanbuchus | 34839e85cb8ae781654f2f9f0529114dbf21399e02bea3c9de94f6c247807e7e

Resubmissions

30-06-2022 09:32

220630-lhz2fsbhd8 10

05-05-2022 13:14

220505-qgy5zsafhk 10

Analysis

max time kernel
146s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5713de.msi
Size

1.0MB
MD5

b8520a4e0945ba689030685895d6bed8
SHA1

ea8b828430149f67f45f9a71ee486bc674e21da7
SHA256

34839e85cb8ae781654f2f9f0529114dbf21399e02bea3c9de94f6c247807e7e
SHA512

f35feec25d6aa629b050c0ec3f8ac2d94887cc05eba11e7bb816aec1c60a6a5ad0f3703bd4e28a8753717b14225ea46364a518d76531e3534d6a4c4fbca2b966

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2644	msiexec.exe
7	2644	msiexec.exe
9	2644	msiexec.exe
11	2644	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
3552	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56e4e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e4e6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1AAC3542-0FCE-D181-BA94-D6EA62B9ED71}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE68C.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e4e8.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3676	msiexec.exe
3676	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	3676	msiexec.exe
Token: SeCreateTokenPrivilege	2644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2644	msiexec.exe
Token: SeLockMemoryPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeMachineAccountPrivilege	2644	msiexec.exe
Token: SeTcbPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeLoadDriverPrivilege	2644	msiexec.exe
Token: SeSystemProfilePrivilege	2644	msiexec.exe
Token: SeSystemtimePrivilege	2644	msiexec.exe
Token: SeProfSingleProcessPrivilege	2644	msiexec.exe
Token: SeIncBasePriorityPrivilege	2644	msiexec.exe
Token: SeCreatePagefilePrivilege	2644	msiexec.exe
Token: SeCreatePermanentPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeDebugPrivilege	2644	msiexec.exe
Token: SeAuditPrivilege	2644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2644	msiexec.exe
Token: SeChangeNotifyPrivilege	2644	msiexec.exe
Token: SeRemoteShutdownPrivilege	2644	msiexec.exe
Token: SeUndockPrivilege	2644	msiexec.exe
Token: SeSyncAgentPrivilege	2644	msiexec.exe
Token: SeEnableDelegationPrivilege	2644	msiexec.exe
Token: SeManageVolumePrivilege	2644	msiexec.exe
Token: SeImpersonatePrivilege	2644	msiexec.exe
Token: SeCreateGlobalPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe
Token: SeBackupPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2644	msiexec.exe
2644	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4512	3676	msiexec.exe	89
PID 3676 wrote to memory of 4512	3676	msiexec.exe	89
PID 3676 wrote to memory of 3552	3676	msiexec.exe	92
PID 3676 wrote to memory of 3552	3676	msiexec.exe	92
PID 3676 wrote to memory of 3552	3676	msiexec.exe	92

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5713de.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4512
- \??\c:\windows\SysWoW64\regsvr32.exe
  c:\windows\SysWoW64\regsvr32.exe -e -n -i:"TrustedPublisher" "C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls" Office
  2⤵
  - Loads dropped DLL
  PID:3552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
727B

MD5
9c82c2178d20b3f7a9d6b4f84679f2df

SHA1
0990191b7c08c9f02fbfc06165baabfb5b52569b

SHA256
7c634c3784a1a66abc59cac26dd0fe8c36632bbf5d75fbad6be7743c1d110a54

SHA512
1b54d95212ad87ed847b8754c082ffc510046d30e72040794aeecad44ecda879a97aa8fd4fe182dfc0cfefb5e4173277d3d6ce46d7f4e761c6d66bd930555da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_AA53F781F7F4C895625B394C44214055

Filesize
655B

MD5
4366536c40e2de1150e6f9d9ff0b76a2

SHA1
98e41e895fe41e903740977e4da3dcc6924ce755

SHA256
960d7b140f8ac1ad74632ff67bb0a3fd486035121a1aa2d30fe87f06ab6d7a2b

SHA512
e97b2cf5a9e9e4fc1d2cf58503dddea5fd4a641af8358b437e418dfc00d608f92e4bf0115b3c4a73cdbf6370041ddcead4cfdefe26f14213b348ede6d9bdb4ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
471B

MD5
5a6a354c3cf43bd3f88091127b2cab6d

SHA1
0e8896597db07f9848926a2a1feef0b805e76c59

SHA256
5ea41876cfd6228b2d5aaad60ae1059359eb15412d1bae897cfb4e55d9993909

SHA512
a9023e6e6f0ca6e6bdaac334d33333223b5a8f963b62d2c4c3ae6bbe40e2f34855e9a6e7ef18d38485c89e4cc976eca94f712439599d3650b1f60f3e729d7957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
398B

MD5
c49d438be7bf30ecc5b956de116e52c1

SHA1
59857fd2404b9220b78be4af5c833b9cc1f6fe60

SHA256
655571207fd4fea1ce4eb7998143e2d90b87bbe18516a3665063577e2d3f9fa7

SHA512
35fa16774212465f9c243283b3d77b5582ad00b49671b127a49aa8c61e263aa54f29a973ac85f30e929b442d17c0ff90c36997fc00abce5243dfd6ccd6192844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_AA53F781F7F4C895625B394C44214055

Filesize
398B

MD5
1094766828b4167503cf66d49f47e299

SHA1
492d44f5b22cf86048d2a50c89091162d98d72f7

SHA256
531220fdbaf2a70dbf122d34984772538b15256d988e8ac6ae69fcfe047a3495

SHA512
de9cca3bdad9c1763429fc7c19d073bc56df42a66285e76292a6acd3b8f3cd5d38ee86d73d87299634ee1cf6ef119648a3a42f630973e00e6ef8e31f9770c48b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
396B

MD5
31fe032bb0d89f079b6a62dc1f2c94c3

SHA1
7a8de3745438298e8b4afa58534cb3d7fb81fdbd

SHA256
d08dd685d33b25ca7a55f8d16eecc34ff7a0e96beb0d22d0c0476d0fed20d041

SHA512
310de97b265503c4be71dd9fbadbb2e81f6072595a3737a6becc8779a98c7e5f4071afcc946d50971e589a4e4898f68b8c10a9c67f0cb69179235bc2dbba3ef7

Download Submit
C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls

Filesize
1.5MB

MD5
d902d9b6580de0f0264e23b4000b5070

SHA1
9ca85ea9142c2135fc912bbbcb6d1db85c40f3a4

SHA256
67a9e8599ab71865a97e75dae9be438c24d015a93e6a12fb5b450ec558528290

SHA512
c971dacbfd9b9bb9e6a6f6d666576c2ff5f8854941b5b9c5057d907032cdba902fab7723bcb2b81108b2657edc964ef90d78f2a43252714350129e72b3c4416b

Download Submit
C:\Users\Admin\AppData\Local\VisualStudioIDE\locale.nls

Filesize
1.5MB

MD5
d902d9b6580de0f0264e23b4000b5070

SHA1
9ca85ea9142c2135fc912bbbcb6d1db85c40f3a4

SHA256
67a9e8599ab71865a97e75dae9be438c24d015a93e6a12fb5b450ec558528290

SHA512
c971dacbfd9b9bb9e6a6f6d666576c2ff5f8854941b5b9c5057d907032cdba902fab7723bcb2b81108b2657edc964ef90d78f2a43252714350129e72b3c4416b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
f3c55e1be2971da331fbfb52a97bcbe2

SHA1
8337365748edfb4052c95463b062d131d48839a0

SHA256
55ce3efd229ce86d38cfd1dc14983a086b51ab57ed160232c4bc58fa9fe92ca5

SHA512
54e905a2aeeb640dd11a5860bbc2cdc2d4aa148a5b50babbf22e99896756a6b67d760d8ee0c6dbfbe9012892184b520657e4a91e72a26300be5e2059c8b62e9a

Download Submit
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{00a5bfdb-455f-4c7f-a1df-11a35a6a80d6}_OnDiskSnapshotProp

Filesize
5KB

MD5
395d1d9c67caa34cdb399afcd3fb5ad0

SHA1
5117808a95cc320ff42d4546d0fcaa9070726168

SHA256
73c04f4d026b62bfdfa94145a3936c6dd1c69d68a3677c9d180534e6ef16afa7

SHA512
dd271611f4d6abfcac533a2eb5b7c915ac5fd9ec8f0648776725bbc2f81ec3c67717731dc2ce6f4207bcd7649e8f824a93c3d7daeec5f79fee7332b0767a047a

Download Submit