Analysis
-
max time kernel
709s -
max time network
644s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-es -
resource tags
-
submitted
05/05/2023, 18:01
General
-
Target
Archivo.EndesaFactur-A4-SIMPLEX-TLLK_B23032023E294942222422244454.MSI.msi
-
Size
3.0MB
-
MD5
f8e3482185e2c916fc032786e676d320
-
SHA1
f605b599179349ec50919c521191daf718a587c8
-
SHA256
3e033ac5385c7a77ef87090674c19061d8fce08a48d451d78a03d32eda516243
-
SHA512
1024136d4fbcfe68de382d22fb160b16ed9a95e54ccf240a0a09c27bf49bd0ec3e7f0ad15e35701698a0d49cf0bda7649a66cf81db19ec272fe501517db8987e
-
SSDEEP
49152:LoYafBZfn6JDi5FQ5dtSdgIH/5roi5VzQ78r6F5mCmR+CYuNA:YfPf/BoEzMo6cYIA
Malware Config
Signatures
-
Detects Grandoreiro payload 5 IoCs
-
Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
-
Blocklisted process makes network request 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Archivo.EndesaFactur-A4-SIMPLEX-TLLK_B23032023E294942222422244454.MSI.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C8C905ADEA3C2DE5E53CEAE10C9A33AB2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Spainguide\HostFx.exe"C:\Spainguide\HostFx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffff16d9758,0x7ffff16d9768,0x7ffff16d97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1840,i,13304500837112833523,5921342494895996391,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1840,i,13304500837112833523,5921342494895996391,131072 /prefetch:82⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff16d9758,0x7ffff16d9768,0x7ffff16d97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1860,i,1916871067672131456,6116658212891071274,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1860,i,1916871067672131456,6116658212891071274,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff16d9758,0x7ffff16d9768,0x7ffff16d97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1904,i,6491475709538036479,7620396588446819981,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1904,i,6491475709538036479,7620396588446819981,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1904,i,6491475709538036479,7620396588446819981,131072 /prefetch:82⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
815B
MD534fd28f388ed470c84713f7324f0107b
SHA1cf4b38e3281ad5b2f0611db93c740ccc36341a05
SHA2568669853279b192154b1363a1cfae6018d199169f0fe1c888253a2f7d34f60986
SHA5127c11c91e7ef39ae566edef36abd5df6a0ba96d818977e59b609a2a8af6db5fa07c97fbd799a8ff178443ac722a692986a6933cc4e74197ec22ab211aa521cba9
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
13.0MB
MD587c7411e05ff159a3707869adc9d5c01
SHA1d147cfdc5d2ea979aa757423a0a22577c45acbe1
SHA256207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7
SHA512a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922
-
Filesize
33.9MB
MD560e42461cb89d736403e7a2241b53f5a
SHA1e0a6ebb90d891c7b9e565cec91a0ce7ccf8d85fe
SHA25699f5e8c8fbcf05e62af0ba78f3d791359930da1d343c04149b2a9b53ed0bb35b
SHA5125cda1a3f189915703a4fa2634201c729d98b9f98d5b2b4ae52e5a0fe1cff4522a2a736e9a443bc12805cbd343c1d455fbced02fa2ca52ade0a44267ceac5cfa1
-
Filesize
33.9MB
MD560e42461cb89d736403e7a2241b53f5a
SHA1e0a6ebb90d891c7b9e565cec91a0ce7ccf8d85fe
SHA25699f5e8c8fbcf05e62af0ba78f3d791359930da1d343c04149b2a9b53ed0bb35b
SHA5125cda1a3f189915703a4fa2634201c729d98b9f98d5b2b4ae52e5a0fe1cff4522a2a736e9a443bc12805cbd343c1d455fbced02fa2ca52ade0a44267ceac5cfa1
-
Filesize
33.9MB
MD560e42461cb89d736403e7a2241b53f5a
SHA1e0a6ebb90d891c7b9e565cec91a0ce7ccf8d85fe
SHA25699f5e8c8fbcf05e62af0ba78f3d791359930da1d343c04149b2a9b53ed0bb35b
SHA5125cda1a3f189915703a4fa2634201c729d98b9f98d5b2b4ae52e5a0fe1cff4522a2a736e9a443bc12805cbd343c1d455fbced02fa2ca52ade0a44267ceac5cfa1
-
Filesize
40B
MD5725dfadacd7b746ba806f956314d8daf
SHA1a217932961c1c5e788d3e2ec98f0451431d564a3
SHA2565b496c58006f91bd0a1b1c08789fcf0415cf2ff1c0ed2044e9dd0f0a7d29679c
SHA512ab63cfcd15058ddef4623d6da2e286658a5d225e31261a55829b1a4d77b92d91dc18d02cd71a5c0bab2d2a395a1d7aa91194764c3eb3fe6b2632e25002c9c8c0
-
Filesize
40B
MD5725dfadacd7b746ba806f956314d8daf
SHA1a217932961c1c5e788d3e2ec98f0451431d564a3
SHA2565b496c58006f91bd0a1b1c08789fcf0415cf2ff1c0ed2044e9dd0f0a7d29679c
SHA512ab63cfcd15058ddef4623d6da2e286658a5d225e31261a55829b1a4d77b92d91dc18d02cd71a5c0bab2d2a395a1d7aa91194764c3eb3fe6b2632e25002c9c8c0
-
Filesize
40B
MD5725dfadacd7b746ba806f956314d8daf
SHA1a217932961c1c5e788d3e2ec98f0451431d564a3
SHA2565b496c58006f91bd0a1b1c08789fcf0415cf2ff1c0ed2044e9dd0f0a7d29679c
SHA512ab63cfcd15058ddef4623d6da2e286658a5d225e31261a55829b1a4d77b92d91dc18d02cd71a5c0bab2d2a395a1d7aa91194764c3eb3fe6b2632e25002c9c8c0
-
Filesize
40B
MD5725dfadacd7b746ba806f956314d8daf
SHA1a217932961c1c5e788d3e2ec98f0451431d564a3
SHA2565b496c58006f91bd0a1b1c08789fcf0415cf2ff1c0ed2044e9dd0f0a7d29679c
SHA512ab63cfcd15058ddef4623d6da2e286658a5d225e31261a55829b1a4d77b92d91dc18d02cd71a5c0bab2d2a395a1d7aa91194764c3eb3fe6b2632e25002c9c8c0
-
Filesize
40B
MD5725dfadacd7b746ba806f956314d8daf
SHA1a217932961c1c5e788d3e2ec98f0451431d564a3
SHA2565b496c58006f91bd0a1b1c08789fcf0415cf2ff1c0ed2044e9dd0f0a7d29679c
SHA512ab63cfcd15058ddef4623d6da2e286658a5d225e31261a55829b1a4d77b92d91dc18d02cd71a5c0bab2d2a395a1d7aa91194764c3eb3fe6b2632e25002c9c8c0
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
86B
MD516b7586b9eba5296ea04b791fc3d675e
SHA18890767dd7eb4d1beab829324ba8b9599051f0b0
SHA256474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680
SHA51258668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
2.3MB
MD5997dd8e1f951664764d16d33fac161d2
SHA1a7d5542193af4d8caec561940174b1bff3e1167f
SHA25670f987fab68e6d87aa1aa6e98fc76acb20f8e8fd8621e56c5764f48c3aa517bd
SHA512d08e644e741f985e5b2ec65f6fe0eead3707a7cb7a26c4ad8063d559e4a32bce79d1daef12c556a874f9cac043dac995d1e65ae775879a63dd608f6ea5b85dde
-
Filesize
2.3MB
MD5997dd8e1f951664764d16d33fac161d2
SHA1a7d5542193af4d8caec561940174b1bff3e1167f
SHA25670f987fab68e6d87aa1aa6e98fc76acb20f8e8fd8621e56c5764f48c3aa517bd
SHA512d08e644e741f985e5b2ec65f6fe0eead3707a7cb7a26c4ad8063d559e4a32bce79d1daef12c556a874f9cac043dac995d1e65ae775879a63dd608f6ea5b85dde
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
4KB
-
Filesize
34.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
34.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB