Overview

overview

10

Static

static

10

c0a3de6415...c5.msi

windows7-x64

10

c0a3de6415...c5.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240215-es
  • resource tags

    arch:x64arch:x86image:win7-20240215-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    03-05-2024 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi

  • Size

    13.7MB

  • MD5

    b9f84cbf370857a27761d54dae9a31f0

  • SHA1

    db4b996018577044895978e48fe1244d639eeb93

  • SHA256

    c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5

  • SHA512

    be6b60499906bd5b5e52e7685980d5a1648a4f8a82b81d05a8d7da46ae01e9cd1a852db0e8af4993e391dbfbee39f83808aa942667083fc504871b43762104a6

  • SSDEEP

    98304:DtNkaeb7Yp7pRFjr+fTHopNj2AGvCg5P2hyzJGuvPEsxNg9Lkh8l480:DebGX0HuNABQyNPEsDKwS

Score
10/10
latentbotpersistencetrojan

Malware Config

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2360
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24A024C72715D9FCA75C53C138D70ED9
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\5izjq1fr\UNC.exe
        "C:\5izjq1fr\UNC.exe"
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ipconfig /renew
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /renew
            5⤵
            • Gathers network information
            PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\5izjq1fr\UNC.exe
    Filesize

    5.7MB

    MD5

    b43c99c9e4b57ea9fef141ac306e59fe

    SHA1

    b4f15a82fd94043f94267fe8948a2d402176f731

    SHA256

    437d592cec3a0085b89f21ba1bcf41f6d62c9ce7cca7fe2452eebb567ffb9d06

    SHA512

    7c1d39fa3f0c58939000722fc2a6a3155e12444e1986317775158019b6915225255b86c7f16d5afaf10223e8ab0f9b3c9357eda19e7f5f716ee14f3da5e6e1c9

    Download Submit
  • C:\5izjq1fr\tont.dll
    Filesize

    1.5MB

    MD5

    9982dd5b2f0c21404a2025db4900966e

    SHA1

    43484b55d1ba57fc05234aa8c05c0d4adb78239c

    SHA256

    e0e888371dfe14b8e2e8115bab277d1f17bffbff2a83fe6e259edf7e05cc6267

    SHA512

    0c89a65b4e3fdd0dfc1a1dbd4bca458cd386e1d42e78baa19d8860bb49a9164607475db9a455e42fd58008e0a5c9bbeaa40cdd1ba868bbd696873cfbe3ed311e

    Download Submit
  • C:\Windows\Installer\MSI1A06.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit
  • C:\Windows\Installer\MSI1CAA.tmp
    Filesize

    12.6MB

    MD5

    f93953ae688e969695943a1948920507

    SHA1

    72e6b4e6b43cd6978e54d50771c8f74cf19110bd

    SHA256

    8b233d87ce4e5e7795bad1c4011e0ac922a344a2d584ebc7070e07d2166f90e6

    SHA512

    086b2f8bf0f9e8412e5339ac18791fd10404e889de23d065c8351a63f1d527034d3bd97352bd697eb9e621c0fb4414f496531e501da391a1d9d1f6e94ca7cfdf

    Download Submit
  • memory/1724-69-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-81-0x0000000000400000-0x0000000000AC9000-memory.dmp
    Filesize

    6.8MB

    Download
  • memory/1724-60-0x0000000003E20000-0x0000000003E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-68-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-76-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-79-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-78-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-77-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-106-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-67-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-66-0x0000000006790000-0x0000000006914000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1724-57-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-82-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-86-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-90-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-92-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-94-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-96-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-98-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-100-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/1724-104-0x0000000004000000-0x0000000004F7B000-memory.dmp
    Filesize

    15.5MB

    Download
  • memory/3004-21-0x0000000072750000-0x000000007349D000-memory.dmp
    Filesize

    13.3MB

    Download