Overview

overview

10

Static

static

490548ca84...bb.msi

windows7_x64

8

490548ca84...bb.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-02-2022 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    490548ca84fb78e8d332bcde20b37576b2a532e388232e756d9c746b6baad5bb.msi

  • Size

    2.2MB

  • MD5

    3a8af2810c28d0eac73f55fb5efb63c2

  • SHA1

    fcc72c86caafc640c7ca831bf9e1fbb2341f6895

  • SHA256

    490548ca84fb78e8d332bcde20b37576b2a532e388232e756d9c746b6baad5bb

  • SHA512

    cc490c53a66e13548a20e301616c09ab1e1fabc25b64000b0f9c13dfc570d43c8f4b259f431147ab6dc60a33a837dafb0e356f330fdc796552c33d61232de839

Score
10/10
numandobackdoorpersistencespywarestealertrojan

Malware Config

Signatures

  • Detect Numando Payload 1 IoCs
  • Numando

    Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.

    trojanbackdoornumando
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 18 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\490548ca84fb78e8d332bcde20b37576b2a532e388232e756d9c746b6baad5bb.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:212
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DE096E74E5BFC461D87FDF02C69DDB14
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:2936
    • C:\Windows\Installer\MSI5288.tmp
      "C:\Windows\Installer\MSI5288.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\Escudo.exe"
      2⤵
      • Executes dropped EXE
      PID:2636
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3496
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3856
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\Escudo.exe
    "C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\Escudo.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" %1 "https://bit.ly/3Dp9HzD"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\Escudo.exe
    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\dbgeng
    MD5

    b9a0fbdff8c408ea7c265f2b5f17044f

    SHA1

    2493df4492892235e2c803ce87e8e22a36b53d93

    SHA256

    3d9f667d75bdb6cf5536ea98e4d4dcbfeea8d29cdabfc23da4a5ff87c88108ce

    SHA512

    9814132bd684860e8587b6f77e0bc9316a65c0414076efc919f96b0b8367b59bca70a6635433112b1e752814c9757ea90b66c1376c40df34423770de3e002623

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\dbgeng.dll
    MD5

    073a1ae73a400b4724d25c1fc4d8ee83

    SHA1

    2c0596a9e6e2bcfcb4ead7c68ef2529c3f677b0e

    SHA256

    89d2905f3b757ad144075c22607517098f535af59238e06c5f02dc2f0e231a0b

    SHA512

    177f8a3cf43a64bcf339126e581edc40afb693baf508458571f86d5a2c7665154209ac04a94a3847df35964d67462e1e2b1b993baf58f31878c6d1e249e95230

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\dbgeng.dll
    MD5

    073a1ae73a400b4724d25c1fc4d8ee83

    SHA1

    2c0596a9e6e2bcfcb4ead7c68ef2529c3f677b0e

    SHA256

    89d2905f3b757ad144075c22607517098f535af59238e06c5f02dc2f0e231a0b

    SHA512

    177f8a3cf43a64bcf339126e581edc40afb693baf508458571f86d5a2c7665154209ac04a94a3847df35964d67462e1e2b1b993baf58f31878c6d1e249e95230

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\libeay32.dll
    MD5

    1f3d6ea5e7dab4126b5315261785408b

    SHA1

    5a138f31b36fa689f783bb1325a34566fa725865

    SHA256

    fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499

    SHA512

    d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\eletronics\Consulta Eletronica\ssleay32.dll
    MD5

    a71bb55be452a69f69a67df2fe7c4097

    SHA1

    d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce

    SHA256

    ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832

    SHA512

    d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a

    Download Submit
  • C:\Windows\Installer\MSI114F.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI114F.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI16EE.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI16EE.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI174C.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit
  • C:\Windows\Installer\MSI174C.tmp
    MD5

    7e68b9d86ff8fafe995fc9ea0a2bff44

    SHA1

    06afc5448037dc419013c3055f61836875bc5e02

    SHA256

    fb4ff113ee64dd8d9aa92a3b5c1d1cd0896a1cc8b4c3768d1cacde2f52f41d58

    SHA512

    6e22afd350f376969de823b033394324d3c2433c196515624a84b8e5160ea228fdaac0699e76466ae1f30155fc44f61697efb9e1eca9a67670aff25e6ee67a5c

    Download Submit
  • C:\Windows\Installer\MSI23B1.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI23B1.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSI2D29.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI2D29.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI2F1E.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI2F1E.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI3180.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI3180.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI5093.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI5093.tmp
    MD5

    dd777abc5e3abff6e35f866470fd8d2d

    SHA1

    11d68b3cf2f9628729622e76e82ce58f3b8d4561

    SHA256

    c1c922e7b8addf20a1f8c01fb7333e4341e5bd43ea90b82025e4402cd016d3ed

    SHA512

    aa21b5d920ac9260eb35a421f071c95e83c31a5545762ca12f2b8a05a543d4ac90095ace83c37aa3b3c69135dee091e0be7e38a2bca45a474362da479c3b0c1e

    Download Submit
  • C:\Windows\Installer\MSI5288.tmp
    MD5

    a34d4f165087b11d9e06781d52262868

    SHA1

    1b7b6a5bb53b7c12fb45325f261ad7a61b485ce1

    SHA256

    55ad26c17f4aac71e6db6a6edee6ebf695510dc7e533e3fee64afc3eb06291e5

    SHA512

    aa62ff3b601ddb83133dd3659b0881f523454dc7eea921da7cfefc50426e70bb36b4ebc337a8f16620da610784a81a8e4aa1cf5e0959d28aa155d1f026a81aaf

    Download Submit
  • C:\Windows\Installer\MSIE6B4.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • C:\Windows\Installer\MSIE6B4.tmp
    MD5

    305a50c391a94b42a68958f3f89906fb

    SHA1

    4110d68d71f3594f5d3bdfca91a1c759ab0105d4

    SHA256

    f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

    SHA512

    fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

    Download Submit
  • memory/1688-159-0x0000000008E40000-0x000000000974F000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/1688-164-0x0000000006E90000-0x0000000006E91000-memory.dmp
    Filesize

    4KB

    Download