matanbuchus | face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666

Analysis

max time kernel
140s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN-016063.pdf.msi
Size

224KB
MD5

ff82937564ff59eb6207f079cdc8e43d
SHA1

7cfe0a71c4a2508a1af80e640ec8b1b034edb604
SHA256

face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666
SHA512

4c4c2f59ef157de6570bf16daff958d9ccdafd8ba6cf3f946cabaa413c085c05242b2499552e789f0f0bc9e1cbf0b74ec6327340d29c80a694aeddf444788ee1

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4928	msiexec.exe
5	4928	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
444	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e85c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e85c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D20C245F-321F-453F-8139-C938C6F031A3}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB4A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e85e.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	msiexec.exe
5104	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4928	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeCreateTokenPrivilege	4928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4928	msiexec.exe
Token: SeLockMemoryPrivilege	4928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4928	msiexec.exe
Token: SeMachineAccountPrivilege	4928	msiexec.exe
Token: SeTcbPrivilege	4928	msiexec.exe
Token: SeSecurityPrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeLoadDriverPrivilege	4928	msiexec.exe
Token: SeSystemProfilePrivilege	4928	msiexec.exe
Token: SeSystemtimePrivilege	4928	msiexec.exe
Token: SeProfSingleProcessPrivilege	4928	msiexec.exe
Token: SeIncBasePriorityPrivilege	4928	msiexec.exe
Token: SeCreatePagefilePrivilege	4928	msiexec.exe
Token: SeCreatePermanentPrivilege	4928	msiexec.exe
Token: SeBackupPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeShutdownPrivilege	4928	msiexec.exe
Token: SeDebugPrivilege	4928	msiexec.exe
Token: SeAuditPrivilege	4928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4928	msiexec.exe
Token: SeChangeNotifyPrivilege	4928	msiexec.exe
Token: SeRemoteShutdownPrivilege	4928	msiexec.exe
Token: SeUndockPrivilege	4928	msiexec.exe
Token: SeSyncAgentPrivilege	4928	msiexec.exe
Token: SeEnableDelegationPrivilege	4928	msiexec.exe
Token: SeManageVolumePrivilege	4928	msiexec.exe
Token: SeImpersonatePrivilege	4928	msiexec.exe
Token: SeCreateGlobalPrivilege	4928	msiexec.exe
Token: SeBackupPrivilege	4408	vssvc.exe
Token: SeRestorePrivilege	4408	vssvc.exe
Token: SeAuditPrivilege	4408	vssvc.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4928	msiexec.exe
4928	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3488	5104	msiexec.exe	93
PID 5104 wrote to memory of 3488	5104	msiexec.exe	93
PID 5104 wrote to memory of 60	5104	msiexec.exe	96
PID 5104 wrote to memory of 60	5104	msiexec.exe	96
PID 5104 wrote to memory of 1800	5104	msiexec.exe	95
PID 5104 wrote to memory of 1800	5104	msiexec.exe	95
PID 60 wrote to memory of 444	60	regsvr32.exe	97
PID 60 wrote to memory of 444	60	regsvr32.exe	97
PID 60 wrote to memory of 444	60	regsvr32.exe	97

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SCAN-016063.pdf.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3488
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1800
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
746B

MD5
a9e636096b133d1e67a2c0fc4665870c

SHA1
45506f936432888eabac1836767f141f61b4ffe6

SHA256
51642af551c73daca4840d37864bd3445dca95ddea5b08c4dfd3b3f5d84eb50f

SHA512
13d3c5a935ec5a7cea6352acf688d5df84264b75b6cef9559aef5e43b65e1558be48e8ca976c62de302d5c92437680942dbd9df648f1c987d57b004359be1192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7969a335596dedd7080cdbd8f337f0d8

SHA1
467d7c25b96191a91ae3ac7a0ddfd884fb3167de

SHA256
dc1c64b231f04f633c9d15c9ed11757e7b82590c4495d888295c90851476998e

SHA512
e81e85f37579b80fff455aa6bfafeaefb8247c8368e1aef297c83db8358322c5489393753ef6fe01b03e8a3dbee1a8484e1c6bf4d4c762b99bed0a13abf7e5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
f3ee79a7a052fe5b72d913628fe2ff9d

SHA1
c8596ec32ce3ac084bcca7b560c1b428d43953b5

SHA256
045a84b25315d9346f29db59611cba538cd42f631f3beec466d0b6f3340ffcc5

SHA512
b4f68003cca3ff0fe8be49f3a81ed6f8f67375e828db8855ce52cdb40da232fe364fa36bbbaed14d18422f3de853433624387a7051ae30aa3aade90ca4ca7072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
b1d5a321ef67e8ecc989a7e73d784fc2

SHA1
41f333631d318048e4a5eb736dd847485b781217

SHA256
73f3ed2114436e2b74aeb915e9aac3655226f68fe48572b4729010b80d3c33d1

SHA512
4ecda9c433bde9b79d9a0f9f7fd05d3b0cfc3b2e5d115c5996c406c44bf1683ceb6d326270ff724260e62dbd1719003cbe60e6918ac9b13c71b67d47f7e6ebdf

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8cb8cf84ab20159702e6803cd6ce364a

SHA1
05103f90540f3e8a9599e9f1ab6a11c791aec393

SHA256
14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f

SHA512
9d9cb037b9c79f88fb89a9757f6c27848d7cc7c448594faf58cedb12925756206106235a2dd44142157e19e2c17535fa942156322768e62579aab55e6a6f64da

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
fd153f0ae8d445156641c8af0923cacb

SHA1
d0b83f01caa3a23db897fb208edc79094df108c4

SHA256
1e1a1ea69d0247be99fe91ec41d0158079329f9d4b87e29d5121cc683c118c94

SHA512
7503b2b7a87b5a21bc4f0104f3132919915d462d749f4cc79a93000226ed724c6494a5c09240187e1b661f5855f2dc376a38fff3e9d61aea1916a0f0ec23a746

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{95077d8c-df5e-44d1-a037-7b010c54bbc9}_OnDiskSnapshotProp

Filesize
5KB

MD5
5f5d7c8b972de84b8224c8f700816f92

SHA1
5a0f88f5d60701d70dd3f0e8f30c5fdc1c504167

SHA256
a664f4aaf200a55bf0a4f35b6772536db9c183fab397bdfbb9ead3263cd48f51

SHA512
0d244544177e34994dd36c2c73aeaa075cd6aaaa13fb9b136288ba4ebc77e47f0ee07c8af2eedbb3d2261318adadbb547bc412ffaf82100e2da257f9f7929f67

Download Submit