matanbuchus | 92e5e552f3e30774359f76fd596cfe2bc62bfafcd46868756053c5e75254d597

Analysis

max time kernel
44s
max time network
98s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
26-07-2022 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1a5b1eebdba993081e6fcf3ea415fc.msi
Size

224KB
MD5

3c1a5b1eebdba993081e6fcf3ea415fc
SHA1

5a51b3a2be04f9e75842ad6f534cf54dd03357fb
SHA256

92e5e552f3e30774359f76fd596cfe2bc62bfafcd46868756053c5e75254d597
SHA512

f60a9e44a7a416b990f4ab94b50b3a87a5675c611dbca9a0fa6edf7d802729415e8e23c8166dcab4501dcd3e14277d309414884deacb12dda4eed5a70be8b3d8

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1908	msiexec.exe
4	1908	msiexec.exe
6	2020	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1584	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c766a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B35.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6c7669.msi	msiexec.exe
File created	C:\Windows\Installer\6c766c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c766a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c7669.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	msiexec.exe
2020	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1908	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeCreateTokenPrivilege	1908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1908	msiexec.exe
Token: SeLockMemoryPrivilege	1908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1908	msiexec.exe
Token: SeMachineAccountPrivilege	1908	msiexec.exe
Token: SeTcbPrivilege	1908	msiexec.exe
Token: SeSecurityPrivilege	1908	msiexec.exe
Token: SeTakeOwnershipPrivilege	1908	msiexec.exe
Token: SeLoadDriverPrivilege	1908	msiexec.exe
Token: SeSystemProfilePrivilege	1908	msiexec.exe
Token: SeSystemtimePrivilege	1908	msiexec.exe
Token: SeProfSingleProcessPrivilege	1908	msiexec.exe
Token: SeIncBasePriorityPrivilege	1908	msiexec.exe
Token: SeCreatePagefilePrivilege	1908	msiexec.exe
Token: SeCreatePermanentPrivilege	1908	msiexec.exe
Token: SeBackupPrivilege	1908	msiexec.exe
Token: SeRestorePrivilege	1908	msiexec.exe
Token: SeShutdownPrivilege	1908	msiexec.exe
Token: SeDebugPrivilege	1908	msiexec.exe
Token: SeAuditPrivilege	1908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1908	msiexec.exe
Token: SeChangeNotifyPrivilege	1908	msiexec.exe
Token: SeRemoteShutdownPrivilege	1908	msiexec.exe
Token: SeUndockPrivilege	1908	msiexec.exe
Token: SeSyncAgentPrivilege	1908	msiexec.exe
Token: SeEnableDelegationPrivilege	1908	msiexec.exe
Token: SeManageVolumePrivilege	1908	msiexec.exe
Token: SeImpersonatePrivilege	1908	msiexec.exe
Token: SeCreateGlobalPrivilege	1908	msiexec.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeBackupPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	1528	DrvInst.exe
Token: SeLoadDriverPrivilege	1528	DrvInst.exe
Token: SeLoadDriverPrivilege	1528	DrvInst.exe
Token: SeLoadDriverPrivilege	1528	DrvInst.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1908	msiexec.exe
1908	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1832	2020	msiexec.exe	31
PID 2020 wrote to memory of 1832	2020	msiexec.exe	31
PID 2020 wrote to memory of 1832	2020	msiexec.exe	31
PID 2020 wrote to memory of 1748	2020	msiexec.exe	32
PID 2020 wrote to memory of 1748	2020	msiexec.exe	32
PID 2020 wrote to memory of 1748	2020	msiexec.exe	32
PID 2020 wrote to memory of 1748	2020	msiexec.exe	32
PID 2020 wrote to memory of 1748	2020	msiexec.exe	32
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33
PID 1748 wrote to memory of 1584	1748	regsvr32.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3c1a5b1eebdba993081e6fcf3ea415fc.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1832
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000005C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
ead04e35e52ab8bc4c39da8d78a14bc0

SHA1
ca525551203915f938bd16add6018fc01bba0c68

SHA256
96cc425d689f9d48bc2767d70b5258c04f74d8e95f12f9f691e428c59dc84eaa

SHA512
9a10d6db4b8fe8df83fad30b20ad4cfbcbd2c8c69ae024da7909ccbdd79c25a42c58eab9c8390c35b30ca64eaf548f1792754b8236a5d0abe4d2e0bc0ceb8197

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
5ad64eaa060f14f691bdca7f4250e63c

SHA1
969b4ab5171c30c0aa5ed75b3a6e8406b7548eee

SHA256
766e9529692481af9b06c3c8705fadd4d8a4afab36aa4c3d6a57efdfaff6e01d

SHA512
251ec9558b858096d79c3b203eda5c411a79c736b0bf43df2f3f19e5d4cdecf0b7891831ebc97dfcab32dad25113773fb5d619dd387fa4c2d6b558f16e8a744b

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
75ec49f612ed27b454a02f86f4f21c3d

SHA1
506d9139c7536541bb4cf59c4ad89626ef921e49

SHA256
4cb6877f25072af644fcf0a4d22893b5b00be691b5e21238a16073db9f1fb008

SHA512
743949ad1825ddeb2342d0425dfcaf748ac2cdf23b23910c372a679d1983c30a39080a67533794f716beb5aa5971b3c3dc4076375cab541abe534a567dc32141

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
75ec49f612ed27b454a02f86f4f21c3d

SHA1
506d9139c7536541bb4cf59c4ad89626ef921e49

SHA256
4cb6877f25072af644fcf0a4d22893b5b00be691b5e21238a16073db9f1fb008

SHA512
743949ad1825ddeb2342d0425dfcaf748ac2cdf23b23910c372a679d1983c30a39080a67533794f716beb5aa5971b3c3dc4076375cab541abe534a567dc32141

Download Submit
memory/1908-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp

Filesize
8KB

Download