Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 15:09
Static task
static1
Behavioral task
behavioral1
Sample
ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0.msi
Resource
win10v2004-20240226-en
General
-
Target
ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0.msi
-
Size
1008KB
-
MD5
660df6ef0e19375001cd6988f18c105b
-
SHA1
f6bdeb2faba1d834b39827eb90e9c8d328d32bd1
-
SHA256
ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0
-
SHA512
4c5c2a9dab4728a47784f23a98e578273c157eb2d49a3225202062f41b59c5d646f0cd0832b60bda8f97da071f0204ab2a27e1bc0dc1d75ac8fb65d4cffa034a
-
SSDEEP
24576:7/9WGtBFV4aFt7u70p71YF73bPI4yXhecIWqHcI0FbbJgxkW:7ntJ42t80y73bJy8cIWq+FbbJI
Malware Config
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f763ef4.msi msiexec.exe File created C:\Windows\Installer\f763ef7.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f763ef4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3FBE.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763ef5.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f763ef5.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1752 regsvr32.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2536 msiexec.exe 2536 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2164 msiexec.exe Token: SeIncreaseQuotaPrivilege 2164 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeSecurityPrivilege 2536 msiexec.exe Token: SeCreateTokenPrivilege 2164 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2164 msiexec.exe Token: SeLockMemoryPrivilege 2164 msiexec.exe Token: SeIncreaseQuotaPrivilege 2164 msiexec.exe Token: SeMachineAccountPrivilege 2164 msiexec.exe Token: SeTcbPrivilege 2164 msiexec.exe Token: SeSecurityPrivilege 2164 msiexec.exe Token: SeTakeOwnershipPrivilege 2164 msiexec.exe Token: SeLoadDriverPrivilege 2164 msiexec.exe Token: SeSystemProfilePrivilege 2164 msiexec.exe Token: SeSystemtimePrivilege 2164 msiexec.exe Token: SeProfSingleProcessPrivilege 2164 msiexec.exe Token: SeIncBasePriorityPrivilege 2164 msiexec.exe Token: SeCreatePagefilePrivilege 2164 msiexec.exe Token: SeCreatePermanentPrivilege 2164 msiexec.exe Token: SeBackupPrivilege 2164 msiexec.exe Token: SeRestorePrivilege 2164 msiexec.exe Token: SeShutdownPrivilege 2164 msiexec.exe Token: SeDebugPrivilege 2164 msiexec.exe Token: SeAuditPrivilege 2164 msiexec.exe Token: SeSystemEnvironmentPrivilege 2164 msiexec.exe Token: SeChangeNotifyPrivilege 2164 msiexec.exe Token: SeRemoteShutdownPrivilege 2164 msiexec.exe Token: SeUndockPrivilege 2164 msiexec.exe Token: SeSyncAgentPrivilege 2164 msiexec.exe Token: SeEnableDelegationPrivilege 2164 msiexec.exe Token: SeManageVolumePrivilege 2164 msiexec.exe Token: SeImpersonatePrivilege 2164 msiexec.exe Token: SeCreateGlobalPrivilege 2164 msiexec.exe Token: SeBackupPrivilege 2616 vssvc.exe Token: SeRestorePrivilege 2616 vssvc.exe Token: SeAuditPrivilege 2616 vssvc.exe Token: SeBackupPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2424 DrvInst.exe Token: SeLoadDriverPrivilege 2424 DrvInst.exe Token: SeLoadDriverPrivilege 2424 DrvInst.exe Token: SeLoadDriverPrivilege 2424 DrvInst.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2164 msiexec.exe 2164 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 PID 2536 wrote to memory of 1752 2536 msiexec.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\windows\SysWoW64\regsvr32.exec:\windows\SysWoW64\regsvr32.exe "C:\Users\Admin\AppData\Local\EdgeTools\edgecef.dll"2⤵
- Loads dropped DLL
PID:1752
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000003AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57ae5584bb7b27d06cd6791794c29f82b
SHA1473cc4f17aef9485b581e12a0957d3f7ed647f38
SHA25670c2c390fcb0bd68a0f34c4bb778a98088ec7d87279f529f59c322f5b10b51ba
SHA512906bf2b2af83b36539c6a59473f17a16239c31268317670585617099d48a8984c9a34881fd8797b7694e237dd316d16a1041a6eb4c34b531ef4c8901b00fa29a
-
Filesize
990KB
MD5e0ecf5e7d2a4656457fabeee2918ef38
SHA1ca05587d9bd333a62735705ba6b3f919ea7d6d17
SHA2564eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2
SHA512f2dc88e57feab0dcc8ad36dd313413d4735350343573f6c8721b5cae48a8ceff393dfd9bcf327d9eb4114347ad704de6dbcfffc42aa53876ba0b017011ac9ddc
-
Filesize
1008KB
MD5660df6ef0e19375001cd6988f18c105b
SHA1f6bdeb2faba1d834b39827eb90e9c8d328d32bd1
SHA256ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0
SHA5124c5c2a9dab4728a47784f23a98e578273c157eb2d49a3225202062f41b59c5d646f0cd0832b60bda8f97da071f0204ab2a27e1bc0dc1d75ac8fb65d4cffa034a