matanbuchus | 5ffd6e81c8621c99f3b4da51567c5f2493d0ba6a75ab1c2071938aabc3349072

Analysis

max time kernel
225s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
Size

224KB
MD5

6892679f8a4b438c582c9954e15acd19
SHA1

546bae92165363acd3e0aaef964cc02ec2a2e67d
SHA256

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9
SHA512

064ece5fe73a356d9078e13134288e144288bd9e9d8d06cdd72f3aaf4cc9d397b5443be67e2d07f78a282d875187a9679e19506ae580d84c9a44142da366f108

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	3432	msiexec.exe
3	3432	msiexec.exe
5	3432	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
4636	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DE752295-3E8B-4F28-BC4B-D4ABF43F1329}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DE8.tmp	msiexec.exe
File created	C:\Windows\Installer\e571a50.msi	msiexec.exe
File created	C:\Windows\Installer\e571a4e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571a4e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003b91e3fabc0113670000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003b91e3fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809003b91e3fa000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003b91e3fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003b91e3fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3388	msiexec.exe
3388	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3432	msiexec.exe
Token: SeSecurityPrivilege	3388	msiexec.exe
Token: SeCreateTokenPrivilege	3432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3432	msiexec.exe
Token: SeLockMemoryPrivilege	3432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3432	msiexec.exe
Token: SeMachineAccountPrivilege	3432	msiexec.exe
Token: SeTcbPrivilege	3432	msiexec.exe
Token: SeSecurityPrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeLoadDriverPrivilege	3432	msiexec.exe
Token: SeSystemProfilePrivilege	3432	msiexec.exe
Token: SeSystemtimePrivilege	3432	msiexec.exe
Token: SeProfSingleProcessPrivilege	3432	msiexec.exe
Token: SeIncBasePriorityPrivilege	3432	msiexec.exe
Token: SeCreatePagefilePrivilege	3432	msiexec.exe
Token: SeCreatePermanentPrivilege	3432	msiexec.exe
Token: SeBackupPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeShutdownPrivilege	3432	msiexec.exe
Token: SeDebugPrivilege	3432	msiexec.exe
Token: SeAuditPrivilege	3432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3432	msiexec.exe
Token: SeChangeNotifyPrivilege	3432	msiexec.exe
Token: SeRemoteShutdownPrivilege	3432	msiexec.exe
Token: SeUndockPrivilege	3432	msiexec.exe
Token: SeSyncAgentPrivilege	3432	msiexec.exe
Token: SeEnableDelegationPrivilege	3432	msiexec.exe
Token: SeManageVolumePrivilege	3432	msiexec.exe
Token: SeImpersonatePrivilege	3432	msiexec.exe
Token: SeCreateGlobalPrivilege	3432	msiexec.exe
Token: SeBackupPrivilege	3008	vssvc.exe
Token: SeRestorePrivilege	3008	vssvc.exe
Token: SeAuditPrivilege	3008	vssvc.exe
Token: SeBackupPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe
Token: SeTakeOwnershipPrivilege	3388	msiexec.exe
Token: SeRestorePrivilege	3388	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3432	msiexec.exe
3432	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 1012	3388	msiexec.exe	81
PID 3388 wrote to memory of 1012	3388	msiexec.exe	81
PID 3388 wrote to memory of 2924	3388	msiexec.exe	83
PID 3388 wrote to memory of 2924	3388	msiexec.exe	83
PID 3388 wrote to memory of 3912	3388	msiexec.exe	84
PID 3388 wrote to memory of 3912	3388	msiexec.exe	84
PID 3912 wrote to memory of 4636	3912	regsvr32.exe	85
PID 3912 wrote to memory of 4636	3912	regsvr32.exe	85
PID 3912 wrote to memory of 4636	3912	regsvr32.exe	85

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1012
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:2924
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
746B

MD5
f31d94409582a2ae881461049bcf2e6f

SHA1
24f59962cc4f99b1f024704830d2a7df12ad08c9

SHA256
7917f31b51792e74ec51da5bcc853da65a68dbe77f2a8debe5ea5d91a36a8446

SHA512
7821195e961a5eaa58a56b735e6c0dd3bb1a3fc888acc38161d7cdfb18a8146dc33f8d3763e8df953400f715b3a2668d5d30635122bb1a07587f31248a3add25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
0802a1b0deefca6f2542b9ec3c283e01

SHA1
a21aeb569b6c0dee2656c7f6a2bf2bd13b3998f6

SHA256
77d1ce4352a068439a020588505006b37deeb1a7b00c997210bf6d1b636b6bed

SHA512
cd5e0a8454dee6012f7c914d3948c58de457b637b3ff0a9c40000a446aa0e89a3d1dc0ddb283fbd226df977538a1b668cc1b347e17291661462685bddc3a5d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A7327B44A69527A27956DB1216E5F535

Filesize
434B

MD5
f61d4e38accc11e6d9362057d92b4413

SHA1
110ead5ab84aa1af40a2e653183fa02f17488f8a

SHA256
313f572220668a0ed358f1df7effe44bf508c0dac489b2ae1749b4c4f4722e14

SHA512
5479e88730fced090e8b3db7523ffe788e427225f04d0e38c619f899dce6117b49aea9e29f0ef0197c04e3fb7c282dda82be641bece19eeb27abd7596e297135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
7c53e57406299ac35c6a19d60c1ba1a5

SHA1
7a564c256c0ff84e86c09fc090a3bdb1a89bd511

SHA256
2b7c5a6e64d6393807271723a3a46e41f23d83ecf31b56d044b28aabf5c55c85

SHA512
dadca8e3d654ca7a58b78cf99c94b7d40f549d65fc031075de45f8dcb0173aebe7011a3d8aae6f637bf6aaf71c64ab43af61dd9f6583d42cba7e9c39f502b9ed

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
050e9888a183d9be4a2f69d23683b89b

SHA1
0a9a32eae938e3cf3538da07b6dd3c13e53b00ed

SHA256
57bfbe05525038db9f58e280941e4c1f6c6dfe724d91089e9500ecce545e213e

SHA512
c20f6cf7059d04c8acfaac0ec7230586967eab3edbc7f8b3326c862b7338f4d1019de9059dcc6eba54c821a78e43f0d5d00e6f4405e27b259a18e75661b7d08b

Download Submit
\??\Volume{fae3913b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d7047995-fa5b-450d-ad3d-399fa39481dd}_OnDiskSnapshotProp

Filesize
5KB

MD5
6a31d6d1018de5d53421bc3015ce0f22

SHA1
5ca61f3511d7250d818ae35aa284a3c8798371dc

SHA256
9527cd5b67fe0c1cdbf880e832f15a07e507968dbba77094fc2a8955e0272a41

SHA512
aac602b7a11050c4393e16cac604ea2941c7bc02c9f7ff31e699cdd665c56404c209c66fd3a9d7304b6182a43ed71fc26213eb4b7e89330f0de40d10814c7991

Download Submit