Edit tour
Windows
Analysis Report
SCAN-068589.pdf.msi
Overview
General Information
Detection
Matanbuchus
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Matanbuchus
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
Adds / modifies Windows certificates
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
PE / OLE file has an invalid certificate
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w7x64
- msiexec.exe (PID: 2460 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ SCAN-06858 9.pdf.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)
- msiexec.exe (PID: 3004 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: AC2E7152124CEED36846BD1B6592A00F) - regsvr32.exe (PID: 2948 cmdline:
regsvr32.e xe -n -i:" Install" C :\Users\us er\AppData \Local\Ado beFontPack \main.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 1568 cmdline:
-n -i:"In stall" C:\ Users\user \AppData\L ocal\Adobe FontPack\m ain.dll MD5: 432BE6CF7311062633459EEF6B242FB5) - wscript.exe (PID: 1244 cmdline:
wscript.ex e C:\Users \user\AppD ata\Local\ AdobeFontP ack\notify .vbs MD5: 045451FA238A75305CC26AC982472367)
- taskeng.exe (PID: 2840 cmdline:
taskeng.ex e {4CFB7DD 2-D1A8-412 D-8316-3EF D3FFEBE4B} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - regsvr32.exe (PID: 2008 cmdline:
C:\Windows \system32\ regsvr32.e xe -n -i:" Update?hec k" "C:\Use rs\user\Ap pData\Loca l\x86\5507 .nls" MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 2852 cmdline:
-n -i:"Up date?heck" "C:\Users \user\AppD ata\Local\ x86\5507.n ls" MD5: 432BE6CF7311062633459EEF6B242FB5)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security | ||
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Matanbuchus | Yara detected Matanbuchus | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | HTTPS traffic detected: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 12_2_6E462F53 |
Networking |
---|
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior | ||
Source: | Domain query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |