latentbot | 0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-05-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e.msi
Size

20.0MB
MD5

03766b0b5b499a0b74b00e30ef8ddfc9
SHA1

c228b53117e28553e5eb392d932c2d0873cb8252
SHA256

0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e
SHA512

a970821edc247afcc96671cd25e2eb3c2accfa949c9bf6a2826134cebc3fe83658e46cb066a595f19581be9ba537f398f2e944d4dccce26b9e7555d3a3f67a28
SSDEEP

196608:Ya++UP3yS4F0PIHrKjvOSEyOd37sc0/r/dolYrZjO:Ya+uJBOjvwZ8/r/7Zq

Score

10^/10

latentbot persistence trojan

Malware Config

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgcs7lrs = "C:\\qutj2yhf\\fghn.exe"	fghn.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	924	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{XO2OLUDZ-LYA8-MHV3-5EEB-JRPHJ9U9B2RM}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI426D.tmp	msiexec.exe
File created	C:\Windows\Installer\e573f0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4036.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4085.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40D5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e573f0c.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5144	fghn.exe

Loads dropped DLL 7 IoCs

pid	Process
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
5144	fghn.exe
5144	fghn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3512	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1876	msiexec.exe
1876	msiexec.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe
5144	fghn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5144	fghn.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4768	msiexec.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeCreateTokenPrivilege	4768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4768	msiexec.exe
Token: SeLockMemoryPrivilege	4768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4768	msiexec.exe
Token: SeMachineAccountPrivilege	4768	msiexec.exe
Token: SeTcbPrivilege	4768	msiexec.exe
Token: SeSecurityPrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeLoadDriverPrivilege	4768	msiexec.exe
Token: SeSystemProfilePrivilege	4768	msiexec.exe
Token: SeSystemtimePrivilege	4768	msiexec.exe
Token: SeProfSingleProcessPrivilege	4768	msiexec.exe
Token: SeIncBasePriorityPrivilege	4768	msiexec.exe
Token: SeCreatePagefilePrivilege	4768	msiexec.exe
Token: SeCreatePermanentPrivilege	4768	msiexec.exe
Token: SeBackupPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeShutdownPrivilege	4768	msiexec.exe
Token: SeDebugPrivilege	4768	msiexec.exe
Token: SeAuditPrivilege	4768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4768	msiexec.exe
Token: SeChangeNotifyPrivilege	4768	msiexec.exe
Token: SeRemoteShutdownPrivilege	4768	msiexec.exe
Token: SeUndockPrivilege	4768	msiexec.exe
Token: SeSyncAgentPrivilege	4768	msiexec.exe
Token: SeEnableDelegationPrivilege	4768	msiexec.exe
Token: SeManageVolumePrivilege	4768	msiexec.exe
Token: SeImpersonatePrivilege	4768	msiexec.exe
Token: SeCreateGlobalPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4768	msiexec.exe
5144	fghn.exe
5144	fghn.exe
4768	msiexec.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5144	fghn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
5144	fghn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 924	1876	msiexec.exe	85
PID 1876 wrote to memory of 924	1876	msiexec.exe	85
PID 1876 wrote to memory of 924	1876	msiexec.exe	85
PID 924 wrote to memory of 5144	924	MsiExec.exe	95
PID 924 wrote to memory of 5144	924	MsiExec.exe	95
PID 924 wrote to memory of 5144	924	MsiExec.exe	95
PID 5144 wrote to memory of 4744	5144	fghn.exe	99
PID 5144 wrote to memory of 4744	5144	fghn.exe	99
PID 5144 wrote to memory of 4744	5144	fghn.exe	99
PID 4744 wrote to memory of 3512	4744	cmd.exe	101
PID 4744 wrote to memory of 3512	4744	cmd.exe	101
PID 4744 wrote to memory of 3512	4744	cmd.exe	101

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9977E133C4F0290B49CBDFFBE46E967F
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\qutj2yhf\fghn.exe
    "C:\qutj2yhf\fghn.exe"
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ipconfig /renew
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI3F89.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI426D.tmp

Filesize
18.8MB

MD5
8cc479cfdbbc3aac07a49d58a47ced81

SHA1
b0153242fa9f8b5646eb0d77fca62d338908fc2b

SHA256
22ea13c175a4bb34b6095150a0ba93a6b640ca3b4b0d5f52f35338359ac25f05

SHA512
bf8c54b99cb6237aadcf19f1a35cbe222ee6419194e7ba83673fee6557a92da29b8c10c09c4f9399c52378fcebb546b4782c216a8c9c0757d3b5ad216f0e0cde

Download Submit
C:\qutj2yhf\fghn.exe

Filesize
5.7MB

MD5
b43c99c9e4b57ea9fef141ac306e59fe

SHA1
b4f15a82fd94043f94267fe8948a2d402176f731

SHA256
437d592cec3a0085b89f21ba1bcf41f6d62c9ce7cca7fe2452eebb567ffb9d06

SHA512
7c1d39fa3f0c58939000722fc2a6a3155e12444e1986317775158019b6915225255b86c7f16d5afaf10223e8ab0f9b3c9357eda19e7f5f716ee14f3da5e6e1c9

Download Submit
C:\qutj2yhf\tont.dll

Filesize
1.5MB

MD5
9982dd5b2f0c21404a2025db4900966e

SHA1
43484b55d1ba57fc05234aa8c05c0d4adb78239c

SHA256
e0e888371dfe14b8e2e8115bab277d1f17bffbff2a83fe6e259edf7e05cc6267

SHA512
0c89a65b4e3fdd0dfc1a1dbd4bca458cd386e1d42e78baa19d8860bb49a9164607475db9a455e42fd58008e0a5c9bbeaa40cdd1ba868bbd696873cfbe3ed311e

Download Submit
memory/924-26-0x0000000072CC0000-0x0000000074043000-memory.dmp

Filesize
19.5MB

Download
memory/5144-70-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-78-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-66-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-69-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-68-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-71-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-72-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-64-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-73-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-75-0x0000000000400000-0x0000000000AC9000-memory.dmp

Filesize
6.8MB

Download
memory/5144-76-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-67-0x0000000007530000-0x00000000076B4000-memory.dmp

Filesize
1.5MB

Download
memory/5144-80-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-83-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-85-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-88-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-90-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-92-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-94-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-96-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-98-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download
memory/5144-100-0x0000000003A60000-0x0000000004A68000-memory.dmp

Filesize
16.0MB

Download