Analysis
-
max time kernel
148s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
db.msi
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
db.msi
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
db.msi
-
Size
992KB
-
MD5
1b43d95fd338cf086f37372314aa6b62
-
SHA1
b464fe581b4411eca737a3814ad867cd3271e394
-
SHA256
3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051
-
SHA512
6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b
Score
10/10
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Loads dropped DLL 1 IoCs
pid Process 432 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\6c7f2f.msi msiexec.exe File created C:\Windows\Installer\6c7f30.ipi msiexec.exe File created C:\Windows\Installer\6c7f32.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c7f2f.msi msiexec.exe File opened for modification C:\Windows\Installer\6c7f30.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI81CE.tmp msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1180 msiexec.exe 1180 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1992 msiexec.exe Token: SeIncreaseQuotaPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 1180 msiexec.exe Token: SeCreateTokenPrivilege 1992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1992 msiexec.exe Token: SeLockMemoryPrivilege 1992 msiexec.exe Token: SeIncreaseQuotaPrivilege 1992 msiexec.exe Token: SeMachineAccountPrivilege 1992 msiexec.exe Token: SeTcbPrivilege 1992 msiexec.exe Token: SeSecurityPrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeLoadDriverPrivilege 1992 msiexec.exe Token: SeSystemProfilePrivilege 1992 msiexec.exe Token: SeSystemtimePrivilege 1992 msiexec.exe Token: SeProfSingleProcessPrivilege 1992 msiexec.exe Token: SeIncBasePriorityPrivilege 1992 msiexec.exe Token: SeCreatePagefilePrivilege 1992 msiexec.exe Token: SeCreatePermanentPrivilege 1992 msiexec.exe Token: SeBackupPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeShutdownPrivilege 1992 msiexec.exe Token: SeDebugPrivilege 1992 msiexec.exe Token: SeAuditPrivilege 1992 msiexec.exe Token: SeSystemEnvironmentPrivilege 1992 msiexec.exe Token: SeChangeNotifyPrivilege 1992 msiexec.exe Token: SeRemoteShutdownPrivilege 1992 msiexec.exe Token: SeUndockPrivilege 1992 msiexec.exe Token: SeSyncAgentPrivilege 1992 msiexec.exe Token: SeEnableDelegationPrivilege 1992 msiexec.exe Token: SeManageVolumePrivilege 1992 msiexec.exe Token: SeImpersonatePrivilege 1992 msiexec.exe Token: SeCreateGlobalPrivilege 1992 msiexec.exe Token: SeBackupPrivilege 1240 vssvc.exe Token: SeRestorePrivilege 1240 vssvc.exe Token: SeAuditPrivilege 1240 vssvc.exe Token: SeBackupPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1992 msiexec.exe 1992 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1180 wrote to memory of 828 1180 msiexec.exe 31 PID 1180 wrote to memory of 828 1180 msiexec.exe 31 PID 1180 wrote to memory of 828 1180 msiexec.exe 31 PID 1180 wrote to memory of 828 1180 msiexec.exe 31 PID 1180 wrote to memory of 828 1180 msiexec.exe 31 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32 PID 828 wrote to memory of 432 828 regsvr32.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1992
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\windows\system32\regsvr32.exec:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"3⤵
- Loads dropped DLL
PID:432
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000003AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1
-
Filesize
2.5MB
MD564a2807bc1385ee99c892012ed0a62bf
SHA11d21c43b582ca6ad77714c05976fe5827f028bd0
SHA256e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567
SHA51278352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1