Overview

overview

10

Static

static

f3e180897f...in.msi

windows7_x64

8

f3e180897f...in.msi

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-09-2021 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85.bin.msi

  • Size

    5.3MB

  • MD5

    c7d18c4670aebfa94bfbe270f651f424

  • SHA1

    4a1c48064167fc4ad5d943a54a34785b3682da92

  • SHA256

    f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85

  • SHA512

    a125054101e7f58e0ed4f48d635959493860c8d26abca8b5c80ba50cddc47a76e787fd65291a0f42f797b958ec133cc6677e76ed49986675b91ef4e90d54c018

Score
10/10
numandobackdoorpersistencespywarestealertrojan

Malware Config

Signatures

  • Detect Numando Payload 1 IoCs
  • Numando

    Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.

    trojanbackdoornumando
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85.bin.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:664
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AFD7ABB3D3AF78E058757F46418E38A9
      2⤵
      • Loads dropped DLL
      PID:1364
    • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\FDYIDYF.exe
      "C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\FDYIDYF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3uRWs5E
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:82945 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    e4d181190a743b5c6396855cd1fb00f8

    SHA1

    fcab8e626e52e7e2f9e47d0654e8bde1285c07a6

    SHA256

    61bf3f235bcc0f78de7fd59a6e800175b2ec0d2b7c34a8b00c96db612169f7d1

    SHA512

    0f23838c5ba11c9b0c43397bc18cc509519d2f041d5cc513bcf61eecfd3ab33e1ce5856031d742007b5fa8fde6836abcc12d2fe64eda38364e21360f27407a56

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B43A6A2AB31D8F6B89DCFD4FD9686D5_51B5A975EEA62653A44730A3B2364546
    MD5

    f58204a51180b75a76a8b75b41f7992a

    SHA1

    d3b410d0162f0d4b0428fd1fc6db8c6eeee5517c

    SHA256

    4ed1aaccf99312dfa943be7f197cfbfe59ea283e911e787b9658ca5a98c636aa

    SHA512

    d13f1abd545208cf773967aec2043650d8ffa864d9f049ee1c7f6858d1790d63cf92a78d3e2aa79b2514f482b554a6ad92da241efdc11ca043fabdcaec051ca3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    6974d13b11d23c260283e42a0ac49504

    SHA1

    c779cd9082fa67ecded762b5ffb7503f28589e93

    SHA256

    c4e074b55f5f33318e74252bb48d91369cbe63fc447bd23c2cb1e6309301610c

    SHA512

    2366305520c157ef0480ccacbebfb657f8111735cb2d10c688c30fee46984be44c49c39e34722bc00d55806384060e16446355cc0413d9540a6f7f6708bac2d0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B43A6A2AB31D8F6B89DCFD4FD9686D5_51B5A975EEA62653A44730A3B2364546
    MD5

    4f7ca3738425924ac9fc5a7058272b70

    SHA1

    78ecef76f48c5927e5fce176d7c29b914be59ad3

    SHA256

    1aa7453153279bb7218d602ffbae7dbf1274d6772377c52be05927bda837d25b

    SHA512

    56156d8307cd336d19414bbdcafb99bf50620db4ec81f4df1dfd9e150bbb46c4d99591e19e99bf4ceb79b332e10af702eecd27cfea9f6c80ed329061b1c9c57b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DXZA4HL9.cookie
    MD5

    10c7226b0fa68ec5e3697b568c266ff7

    SHA1

    49baa56f700066b7535dce3097ebe50df934a28f

    SHA256

    936b16f5e45e1e77b420e49849d8d2a979e6690c9b60fdabddec11d71482fe5c

    SHA512

    a508ee03db8610787af514217e8ee536cbe5a407ea5b476448e7aebfcc5500f932ec6b53ec0f3071087837d39e89e7db117401ab646de8760b4c8eb403b7675f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\Cooperativa.exe
    MD5

    e39592c0b83c040fda60c5bad8cc65c5

    SHA1

    65684b3d962fb3483766f9e4a9c047c0e27f055e

    SHA256

    fbfdd5b8449d08e0d82fc942ed39a0e280dba2d39c3e9e537f97b760d4fbcb52

    SHA512

    e8bc1589ce0119c331abc81ddbeb374edf5d3c82bc1b36f4522fb4b2a03eb64e3fdfc635bc9f5305daa1174298a4ff917fbd0bf1394fe2c3e7b4769a0ec3e82d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\FDYIDYF.exe
    MD5

    e39592c0b83c040fda60c5bad8cc65c5

    SHA1

    65684b3d962fb3483766f9e4a9c047c0e27f055e

    SHA256

    fbfdd5b8449d08e0d82fc942ed39a0e280dba2d39c3e9e537f97b760d4fbcb52

    SHA512

    e8bc1589ce0119c331abc81ddbeb374edf5d3c82bc1b36f4522fb4b2a03eb64e3fdfc635bc9f5305daa1174298a4ff917fbd0bf1394fe2c3e7b4769a0ec3e82d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\OLEACC
    MD5

    477cd985ef24ce7d3d02994f2da789e7

    SHA1

    130b59f6056ec83633cc1e0190aed64308dd85ac

    SHA256

    13500f1851482d91d9be27736aa41ba2102c3807a2901220f2e8eef5947bc148

    SHA512

    3fc9db101d240dbf45d54c6db8a118942c553860128700c142ff616e10993154147d2da1429b770f5c49b824bad6a754e42953f4cba918b64b0ecf9d104a0670

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\OLEACC.dll
    MD5

    31e44e62ff0c27115e5297e259c7a9f0

    SHA1

    12ac138134b65941d0bb1fb50100a8d8e97fe4da

    SHA256

    339bd1a013f0985113fb94905397fccf5407508e0a1847789c226540d9305053

    SHA512

    17980e99c8e4a199c941338ebd2113d0145666fd0b6fc8b68793035856af91eb16673b63c3e2d5cbecf9ef6b61e6449abe95e8324afa94320036615c226d306c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit

  • C:\Windows\Installer\MSI8661.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSI8A5A.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSI8B07.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSI8BC3.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit

  • C:\Windows\Installer\MSI8FBC.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\Oleacc.dll
    MD5

    31e44e62ff0c27115e5297e259c7a9f0

    SHA1

    12ac138134b65941d0bb1fb50100a8d8e97fe4da

    SHA256

    339bd1a013f0985113fb94905397fccf5407508e0a1847789c226540d9305053

    SHA512

    17980e99c8e4a199c941338ebd2113d0145666fd0b6fc8b68793035856af91eb16673b63c3e2d5cbecf9ef6b61e6449abe95e8324afa94320036615c226d306c

    Download Submit

  • \Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit

  • \Users\Admin\AppData\Roaming\VOCNT\CZVGBWDIAA\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit

  • \Windows\Installer\MSI8661.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSI8A5A.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSI8B07.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSI8BC3.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit

  • \Windows\Installer\MSI8FBC.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • memory/1364-118-0x0000000000000000-mapping.dmp

    Download

  • memory/2100-143-0x00007FFACFCF0000-0x00007FFACFD5B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2100-142-0x0000000000000000-mapping.dmp

    Download

  • memory/2444-145-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-141-0x0000000003510000-0x00000000038D1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2444-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3692-144-0x0000000000000000-mapping.dmp

    Download