Overview

overview

10

Static

static

db.msi

windows7_x64

10

db.msi

windows10-2004_x64

10

Resubmissions

14-07-2022 12:37

220714-ptre8sbbb2 10

30-06-2022 22:59

220630-2ydfdsbhdj 10

Analysis

  • max time kernel
    206s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db.msi

  • Size

    992KB

  • MD5

    1b43d95fd338cf086f37372314aa6b62

  • SHA1

    b464fe581b4411eca737a3814ad867cd3271e394

  • SHA256

    3afb8aec8a275aa2e3e5f1414a5a657a1721b12d1af4d3b44763b3a4d2481051

  • SHA512

    6ca5aa81954f5097fcf1c092370dd7564f611ca0d5afa3121d7903ccec8e65f022085686472d1c63410e8d2f6bdeffa5e803f8867f3055f3e773237b3c458d9b

Score
10/10
matanbuchusloader

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

    loadermatanbuchus
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3764
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1660
      • \??\c:\windows\system32\regsvr32.exe
        c:\windows\system32\regsvr32.exe -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\SysWOW64\regsvr32.exe
          -n -i:"Update Installation" "C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic"
          3⤵
          • Loads dropped DLL
          PID:4712
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic
      Filesize

      2.5MB

      MD5

      64a2807bc1385ee99c892012ed0a62bf

      SHA1

      1d21c43b582ca6ad77714c05976fe5827f028bd0

      SHA256

      e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

      SHA512

      78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

      Download Submit

    • C:\Users\Admin\AppData\Local\AdobeStockClient\ado.lic
      Filesize

      2.5MB

      MD5

      64a2807bc1385ee99c892012ed0a62bf

      SHA1

      1d21c43b582ca6ad77714c05976fe5827f028bd0

      SHA256

      e66c2a09074fa94390262c8b925988e7d9a085edcc97cad79e2ccc9c0e862567

      SHA512

      78352c8643206849726ff7240d9a80faedc76f9586943dd8cdb649ff62af658a849258783fec50157b5f7118a0442ab538a475886d44a2993b2aa7be1b5b46a1

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      f267ab50774ca2882c0b1f6b0813769e

      SHA1

      ddc6b7972a8b05dd2fbe96a3352bfea476304e59

      SHA256

      6ebb7cbbff3f8e71842aec896e103337b52501b8c1e42fd287e0711213732d47

      SHA512

      ff0933b191e128bfc3db7ec2049bf0b927cd12b6caacd353b4ff45a18d6c5ac9cb17c93825252f9455cc3b4a5abf6599b80e5d512e102498a29fee16b7f48064

      Download Submit

    • \??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{54cd4090-ee3b-4651-94a5-eaf0e0b22b52}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      ba9549616f034a788698241556d745b8

      SHA1

      0d06aa0d4682b46311e0a684780caecac291fb68

      SHA256

      2e7d949d468a701f337d0c4f96e625e32cebea6e1a2b8b87089f7b5222023b76

      SHA512

      ad7ee0db7f62d244337376b34c533ff2a1206c9fb2c7ffb21dd0a42acf8e1de085e7f24fca3e05547e0c371bb0a7a22ce6d1148be0748fd31abe76af38b7a8b5

      Download Submit

    • memory/1660-130-0x0000000000000000-mapping.dmp

      Download

    • memory/4396-131-0x0000000000000000-mapping.dmp

      Download

    • memory/4712-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4712-135-0x0000000002FE0000-0x00000000031A7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4712-136-0x0000000002B80000-0x0000000002BFB000-memory.dmp

      Filesize

      492KB

      Download

    • memory/4712-139-0x0000000002B80000-0x0000000002BFB000-memory.dmp

      Filesize

      492KB

      Download