Overview

overview

10

Static

static

docs_06_30_2022.xlsb

windows7_x64

8

docs_06_30_2022.xlsb

windows10-2004_x64

10

Resubmissions

01-07-2022 01:23

220701-br42naebfk 10

30-06-2022 20:01

220630-yrwfvaahbn 1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    docs_06_30_2022.xlsb

  • Size

    58KB

  • MD5

    f391b6abfa46df66449a0446f80d4168

  • SHA1

    ef875d0ed399227b6a549c150f2d7f881096f303

  • SHA256

    1fc6bed3f1f9a03513cff88ce3d523852565812a75874800add07b4a2efe870b

  • SHA512

    6ac260767d721f91aaa5e3e0f04e8f2270572c4db3fa7942153776d93bc12c79a69adb7a7da1eea1fff8d4ed7c9c001a3eb675035bbafb0fdaba2dd5b82ddcdd

Score
10/10
matanbuchusloader

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\docs_06_30_2022.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:828
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1868
    • \??\c:\windows\system32\regsvr32.exe
      c:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
        3⤵
        • Loads dropped DLL
        PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic
    Filesize

    2.5MB

    MD5

    64a2807bc1385ee99c892012ed0a62bf

    SHA1

    1d21c43b582ca6ad77714c05976fe5827f028bd0

    SHA256

    e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

    SHA512

    78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    Download Submit
  • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic
    Filesize

    2.5MB

    MD5

    64a2807bc1385ee99c892012ed0a62bf

    SHA1

    1d21c43b582ca6ad77714c05976fe5827f028bd0

    SHA256

    e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

    SHA512

    78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

    Download Submit
  • memory/828-133-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-145-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-134-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-135-0x00007FF845FE0000-0x00007FF845FF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-136-0x00007FF845FE0000-0x00007FF845FF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-137-0x000001EB6D040000-0x000001EB6D044000-memory.dmp
    Filesize

    16KB

    Download
  • memory/828-148-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-132-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-146-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-131-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-130-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/828-147-0x00007FF848730000-0x00007FF848740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1832-142-0x0000000002620000-0x00000000027E7000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1832-143-0x0000000002B40000-0x0000000002BBB000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1832-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4128-138-0x0000000000000000-mapping.dmp
    Download