Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 01:23
Static task
static1
Behavioral task
behavioral1
Sample
docs_06_30_2022.xlsb
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
docs_06_30_2022.xlsb
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
docs_06_30_2022.xlsb
-
Size
58KB
-
MD5
f391b6abfa46df66449a0446f80d4168
-
SHA1
ef875d0ed399227b6a549c150f2d7f881096f303
-
SHA256
1fc6bed3f1f9a03513cff88ce3d523852565812a75874800add07b4a2efe870b
-
SHA512
6ac260767d721f91aaa5e3e0f04e8f2270572c4db3fa7942153776d93bc12c79a69adb7a7da1eea1fff8d4ed7c9c001a3eb675035bbafb0fdaba2dd5b82ddcdd
Score
10/10
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 41 1868 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1832 regsvr32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7EC6.tmp msiexec.exe File created C:\Windows\Installer\e577c56.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI757E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 828 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1868 msiexec.exe 1868 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 828 EXCEL.EXE Token: SeIncreaseQuotaPrivilege 828 EXCEL.EXE Token: SeSecurityPrivilege 1868 msiexec.exe Token: SeCreateTokenPrivilege 828 EXCEL.EXE Token: SeAssignPrimaryTokenPrivilege 828 EXCEL.EXE Token: SeLockMemoryPrivilege 828 EXCEL.EXE Token: SeIncreaseQuotaPrivilege 828 EXCEL.EXE Token: SeMachineAccountPrivilege 828 EXCEL.EXE Token: SeTcbPrivilege 828 EXCEL.EXE Token: SeSecurityPrivilege 828 EXCEL.EXE Token: SeTakeOwnershipPrivilege 828 EXCEL.EXE Token: SeLoadDriverPrivilege 828 EXCEL.EXE Token: SeSystemProfilePrivilege 828 EXCEL.EXE Token: SeSystemtimePrivilege 828 EXCEL.EXE Token: SeProfSingleProcessPrivilege 828 EXCEL.EXE Token: SeIncBasePriorityPrivilege 828 EXCEL.EXE Token: SeCreatePagefilePrivilege 828 EXCEL.EXE Token: SeCreatePermanentPrivilege 828 EXCEL.EXE Token: SeBackupPrivilege 828 EXCEL.EXE Token: SeRestorePrivilege 828 EXCEL.EXE Token: SeShutdownPrivilege 828 EXCEL.EXE Token: SeDebugPrivilege 828 EXCEL.EXE Token: SeAuditPrivilege 828 EXCEL.EXE Token: SeSystemEnvironmentPrivilege 828 EXCEL.EXE Token: SeChangeNotifyPrivilege 828 EXCEL.EXE Token: SeRemoteShutdownPrivilege 828 EXCEL.EXE Token: SeUndockPrivilege 828 EXCEL.EXE Token: SeSyncAgentPrivilege 828 EXCEL.EXE Token: SeEnableDelegationPrivilege 828 EXCEL.EXE Token: SeManageVolumePrivilege 828 EXCEL.EXE Token: SeImpersonatePrivilege 828 EXCEL.EXE Token: SeCreateGlobalPrivilege 828 EXCEL.EXE Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1868 wrote to memory of 4128 1868 msiexec.exe 84 PID 1868 wrote to memory of 4128 1868 msiexec.exe 84 PID 4128 wrote to memory of 1832 4128 regsvr32.exe 85 PID 4128 wrote to memory of 1832 4128 regsvr32.exe 85 PID 4128 wrote to memory of 1832 4128 regsvr32.exe 85
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\docs_06_30_2022.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:828
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\windows\system32\regsvr32.exec:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"3⤵
- Loads dropped DLL
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1