Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
18-01-2023 23:22
General
-
Target
AnyDeskAPP.msi
-
Size
1.4MB
-
MD5
4e4a4a4eb6a77d72af83b2bbd0698593
-
SHA1
dbaeba54fcae50acc36565d0f61ad73df6df7d45
-
SHA256
58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
-
SHA512
69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb
-
SSDEEP
24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9
Malware Config
Signatures
-
Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 20 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDeskAPP.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 03DBF4BBF1A45C32A415CEE91B31006E2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9CFF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9CCD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9CDD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9CDE.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\já\paradoxo\Winexímio.exe"C:\já\paradoxo\Winexímio.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "0000000000000588"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pss9CFF.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scr9CDD.ps1Filesize
17KB
MD57c5b73168b207a9c580eb62dd1588fef
SHA1cdd8f39b7a12aa0b3c62a3c0c19572976d0444dc
SHA2566d6b711685d829f27fcfe579853e43d993bf6e935085161d0dbee6abb43f60d5
SHA5127ea9836bc57698341d18154e1b76ea6d1ee67b68504c2076b7125374c63298a9bf3580b4d2c2936ab19d0831940bb927171b6ad5a46fb87caf7f43b2b82696f9
-
C:\Windows\Installer\MSI8D81.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI9011.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI90BE.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI9A23.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\já\paradoxo\Winexímio.exeFilesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
C:\já\paradoxo\Winexímio.exeFilesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
C:\já\paradoxo\vendingFilesize
89.4MB
MD53c6ef07082ae5cd1cdbb4c272f1da202
SHA14bbc70f293110dae93746e8a1fe7c5a47d1f33ec
SHA2562bd1e88bcdd6377d1fa2a8f12b1ffec9c1a73e4aeea4a9eea31c359880a17b4c
SHA512432d6c249b4b000c5cdf9600f8ca3f7771e55d41152abbc398b70a5b8cc5bd3d867a7febbd7b4d07186a519b04a7f552aa25712c099b16ebdb4575a751c73ee9
-
\Windows\Installer\MSI8D81.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSI9011.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSI90BE.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSI9A23.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
\já\paradoxo\Winexímio.exeFilesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
memory/904-54-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmpFilesize
8KB
-
memory/976-92-0x000000000A040000-0x000000000F9B6000-memory.dmpFilesize
89.5MB
-
memory/976-87-0x000000000FB50000-0x000000000FD13000-memory.dmpFilesize
1.8MB
-
memory/976-73-0x0000000000000000-mapping.dmp
-
memory/976-105-0x000000000A040000-0x000000000F9B6000-memory.dmpFilesize
89.5MB
-
memory/976-76-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-77-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-78-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-79-0x00000000778E0000-0x0000000077A60000-memory.dmpFilesize
1.5MB
-
memory/976-80-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-81-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-82-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-83-0x0000000000CC0000-0x0000000001E20000-memory.dmpFilesize
17.4MB
-
memory/976-103-0x0000000010510000-0x0000000010548000-memory.dmpFilesize
224KB
-
memory/976-85-0x0000000000540000-0x000000000054D000-memory.dmpFilesize
52KB
-
memory/976-86-0x000000000F9C0000-0x000000000FB50000-memory.dmpFilesize
1.6MB
-
memory/976-102-0x0000000010070000-0x0000000010089000-memory.dmpFilesize
100KB
-
memory/976-101-0x0000000010410000-0x0000000010486000-memory.dmpFilesize
472KB
-
memory/976-90-0x0000000003220000-0x000000000323C000-memory.dmpFilesize
112KB
-
memory/976-100-0x0000000003880000-0x00000000038AB000-memory.dmpFilesize
172KB
-
memory/976-91-0x0000000003690000-0x0000000003727000-memory.dmpFilesize
604KB
-
memory/976-93-0x00000000035C0000-0x0000000003639000-memory.dmpFilesize
484KB
-
memory/976-95-0x000000000FF30000-0x0000000010060000-memory.dmpFilesize
1.2MB
-
memory/976-96-0x0000000003840000-0x0000000003871000-memory.dmpFilesize
196KB
-
memory/976-97-0x00000000108D0000-0x0000000010CDB000-memory.dmpFilesize
4.0MB
-
memory/976-98-0x00000000101A0000-0x0000000010243000-memory.dmpFilesize
652KB
-
memory/976-99-0x000000000FE50000-0x000000000FEDE000-memory.dmpFilesize
568KB
-
memory/1620-56-0x0000000000000000-mapping.dmp
-
memory/1620-57-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1944-71-0x00000000727C0000-0x0000000073CE8000-memory.dmpFilesize
21.2MB
-
memory/1944-66-0x0000000000000000-mapping.dmp
-
memory/1944-68-0x00000000727C0000-0x0000000073CE8000-memory.dmpFilesize
21.2MB