matanbuchus | face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666

Analysis

max time kernel
58s
max time network
51s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN-016063.pdf.msi
Size

224KB
MD5

ff82937564ff59eb6207f079cdc8e43d
SHA1

7cfe0a71c4a2508a1af80e640ec8b1b034edb604
SHA256

face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666
SHA512

4c4c2f59ef157de6570bf16daff958d9ccdafd8ba6cf3f946cabaa413c085c05242b2499552e789f0f0bc9e1cbf0b74ec6327340d29c80a694aeddf444788ee1

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1936	msiexec.exe
4	1936	msiexec.exe
6	1964	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
564	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c936a.msi	msiexec.exe
File created	C:\Windows\Installer\6c936d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c936b.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c936a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9847.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6c936b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	msiexec.exe
1964	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeCreateTokenPrivilege	1936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1936	msiexec.exe
Token: SeLockMemoryPrivilege	1936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1936	msiexec.exe
Token: SeMachineAccountPrivilege	1936	msiexec.exe
Token: SeTcbPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeLoadDriverPrivilege	1936	msiexec.exe
Token: SeSystemProfilePrivilege	1936	msiexec.exe
Token: SeSystemtimePrivilege	1936	msiexec.exe
Token: SeProfSingleProcessPrivilege	1936	msiexec.exe
Token: SeIncBasePriorityPrivilege	1936	msiexec.exe
Token: SeCreatePagefilePrivilege	1936	msiexec.exe
Token: SeCreatePermanentPrivilege	1936	msiexec.exe
Token: SeBackupPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeShutdownPrivilege	1936	msiexec.exe
Token: SeDebugPrivilege	1936	msiexec.exe
Token: SeAuditPrivilege	1936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1936	msiexec.exe
Token: SeChangeNotifyPrivilege	1936	msiexec.exe
Token: SeRemoteShutdownPrivilege	1936	msiexec.exe
Token: SeUndockPrivilege	1936	msiexec.exe
Token: SeSyncAgentPrivilege	1936	msiexec.exe
Token: SeEnableDelegationPrivilege	1936	msiexec.exe
Token: SeManageVolumePrivilege	1936	msiexec.exe
Token: SeImpersonatePrivilege	1936	msiexec.exe
Token: SeCreateGlobalPrivilege	1936	msiexec.exe
Token: SeBackupPrivilege	1100	vssvc.exe
Token: SeRestorePrivilege	1100	vssvc.exe
Token: SeAuditPrivilege	1100	vssvc.exe
Token: SeBackupPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1900	DrvInst.exe
Token: SeLoadDriverPrivilege	1900	DrvInst.exe
Token: SeLoadDriverPrivilege	1900	DrvInst.exe
Token: SeLoadDriverPrivilege	1900	DrvInst.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1936	msiexec.exe
1936	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1344	1964	msiexec.exe	31
PID 1964 wrote to memory of 1344	1964	msiexec.exe	31
PID 1964 wrote to memory of 1344	1964	msiexec.exe	31
PID 1964 wrote to memory of 748	1964	msiexec.exe	32
PID 1964 wrote to memory of 748	1964	msiexec.exe	32
PID 1964 wrote to memory of 748	1964	msiexec.exe	32
PID 1964 wrote to memory of 748	1964	msiexec.exe	32
PID 1964 wrote to memory of 748	1964	msiexec.exe	32
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33
PID 748 wrote to memory of 564	748	regsvr32.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-016063.pdf.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1344
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000570" "00000000000004C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
4ecb9a5051a1e0297ed7466ec33cafc9

SHA1
99b6e77d07da480e73558a95992b7fa15196dd95

SHA256
3696c67e0ab93e07245e1418d579c9ba0583520785d61276c86c3b48c1375f64

SHA512
98e6b94b1e1ac5452f3142c8426ffc2d780e3b2adf715c4a87f09a6e3d9eeaf235735ea29ee398dcd51445b12d4113af7bf5fef503938c66baaef36a9c7c49b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
61974ffc2cc61bd5b6657986795bc51d

SHA1
054ad0efe0f5c6a974ac8fea1c9848a552f6b98d

SHA256
0b2a2262d30500ee60a33c2c5df9b88ce0b43626c7cf8dc42fcd6c335589733f

SHA512
b86cb7f05e4cf644ae8cef72fb4585dbac6e2bdcee8a991fce47da925a4905e52da6bb8499400aff1c0030c55c27f27c8cbce0e847766ece902a40278820a680

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
memory/564-66-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1936-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download