Overview

overview

10

Static

static

RT.msi

windows7_x64

10

RT.msi

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-12-2021 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RT.msi

  • Size

    2.2MB

  • MD5

    55b75999aeba3ccfd5309b39d7880baa

  • SHA1

    293a2c7cd6ab5851563d868d549e9a2dfd00842c

  • SHA256

    e07e5f0295deb4c8a77519cf41d915046d6962db92b7e667f68267d30e0b8399

  • SHA512

    59a8bad2040260f13ec4171e5ce6f28b04b1d6705aed4d7c9a9270c472062095bd4ec8cdc38fe962a55b8f8bc0b8f5afc4565d99f3dffee87dc12b107f9fd76f

Score
10/10
numandobackdoorpersistencespywarestealertrojan

Malware Config

Signatures

  • Detect Numando Payload 3 IoCs
  • Numando

    Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.

    trojanbackdoornumando
  • Blocklisted process makes network request 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 15 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RT.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1400
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DDEC1C2030F712422DC95A791188531
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1480
    • C:\Windows\Installer\MSICEDE.tmp
      "C:\Windows\Installer\MSICEDE.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\Object.exe"
      2⤵
      • Executes dropped EXE
      PID:776
  • C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\Object.exe
    "C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\Object.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" %1 "https://bit.ly/3DvoVCc"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    05881ce1a02aa11d26857dd148ce005b

    SHA1

    08a47297f8ec5b11a69fcd861644791e84a93d2f

    SHA256

    5f697aa26ee223c15022a04ca6e5aac33d6c93db50e88504fae4bd35cb457555

    SHA512

    204729b0068278db0b0c22b1dbe14f65ae3a78276a0f1ea64fece1af6910529599810b4dba612a69b3d572869ec6ab6cfb1a75b74f40916322a80c9446b7edf5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\OLEACC.dll
    MD5

    96e5dabb986d4a653ba7382f14e9f4af

    SHA1

    2af9c00f61fd821f7dbdbd222e2ca2b1652ecca7

    SHA256

    e116a603ceb5d60463f54ad79b31b9a04a21b2c8afea1fb72149db2805a4d4d8

    SHA512

    6c37f8890ffe8a89d143e00a0e1368af1a43bd9d42025e185d879f61fe7307bce60c4055eab4da3a00cd1e13f1cb21b5b0548bae48087c960b49c3b7eb529878

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\Object.exe
    MD5

    06b1b36cd7c59cf46cd7f5d661c4da6f

    SHA1

    ed225d67e410c4c70a205fe969def346035ada72

    SHA256

    0d1882db000f8898f7598e87cefd2f1f7689524ee10b406870d1ae7a92ee775b

    SHA512

    6e448b9e44b57f05cc760c313d4898751afc23b2db14c4f981880e0183af67944d92ab0ad946b52d365e17ba5f2a6b2a97097450ac8a0e5c636f1c43a21d7c3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit

  • C:\Windows\Installer\MSIA91B.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSIAB6D.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSIABBC.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit

  • C:\Windows\Installer\MSIAD52.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • C:\Windows\Installer\MSIB3AB.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • C:\Windows\Installer\MSIB409.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • C:\Windows\Installer\MSIB488.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • C:\Windows\Installer\MSICDF2.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • C:\Windows\Installer\MSICEDE.tmp
    MD5

    a34d4f165087b11d9e06781d52262868

    SHA1

    1b7b6a5bb53b7c12fb45325f261ad7a61b485ce1

    SHA256

    55ad26c17f4aac71e6db6a6edee6ebf695510dc7e533e3fee64afc3eb06291e5

    SHA512

    aa62ff3b601ddb83133dd3659b0881f523454dc7eea921da7cfefc50426e70bb36b4ebc337a8f16620da610784a81a8e4aa1cf5e0959d28aa155d1f026a81aaf

    Download Submit

  • \Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\Oleacc.dll
    MD5

    96e5dabb986d4a653ba7382f14e9f4af

    SHA1

    2af9c00f61fd821f7dbdbd222e2ca2b1652ecca7

    SHA256

    e116a603ceb5d60463f54ad79b31b9a04a21b2c8afea1fb72149db2805a4d4d8

    SHA512

    6c37f8890ffe8a89d143e00a0e1368af1a43bd9d42025e185d879f61fe7307bce60c4055eab4da3a00cd1e13f1cb21b5b0548bae48087c960b49c3b7eb529878

    Download Submit

  • \Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit

  • \Users\Admin\AppData\Roaming\WEFHWE0-FWEUY-F9WUEFWWEF\BND0WEPWEJFC-9UEWFF\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit

  • \Windows\Installer\MSIA91B.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSIAB6D.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSIABBC.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit

  • \Windows\Installer\MSIAD52.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit

  • \Windows\Installer\MSIB3AB.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • \Windows\Installer\MSIB409.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • \Windows\Installer\MSIB488.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • \Windows\Installer\MSICDF2.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit

  • memory/776-74-0x0000000000000000-mapping.dmp

    Download

  • memory/776-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1012-87-0x0000000000000000-mapping.dmp

    Download

  • memory/1400-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1480-57-0x0000000076C91000-0x0000000076C93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1480-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1676-89-0x0000000000000000-mapping.dmp

    Download

  • memory/1740-81-0x00000000005B0000-0x0000000000EBF000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1740-91-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download