9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240419-es
resource tags

arch:x64arch:x86image:win7-20240419-eslocale:es-esos:windows7-x64systemwindows
submitted
22-05-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984.msi
Size

35.1MB
MD5

b07dee479dd11163d584db2aa86e9c45
SHA1

2394974e832831f0c9a3e38fe3706cf7e2c2fa94
SHA256

9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
SHA512

597268d6a37f9edaf45d10e97b7e23fa5da2f8c2b1af58921474f1b2bc87e79e323870153df34a488761c1475f531d2fa1b4c7fc86723a95c629713a5946a421
SSDEEP

786432:Wlw27h2QVu9cCct5rB9rIX9gW6cnzELhEe2x53gp7fq2xX:WlLA+ptO2Cnne2xU7fq2

Score

10^/10

banker execution

Malware Config

Signatures

Detects common strings, DLL and API in Banker_BR 1 IoCs

Hunting by known PDB files - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Windows\Installer\f7620aa.msi	Detect_MSI_LATAM_Banker_From_LatAm

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

3 1952 msiexec.exe
5 1952 msiexec.exe
6 1152 msiexec.exe

flow	pid	process
3	1952	msiexec.exe
5	1952	msiexec.exe
6	1152	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f7620aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7620aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2480.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f7620af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7620ad.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI256B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2657.tmp	msiexec.exe
File created	C:\Windows\Installer\f7620ad.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A6D.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

1720 MsiExec.exe
1720 MsiExec.exe
1720 MsiExec.exe
1720 MsiExec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2348 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemsiexec.exe

pid process

2348 powershell.exe
1152 msiexec.exe
1152 msiexec.exe

pid	process
1720	MsiExec.exe
1720	MsiExec.exe
1720	MsiExec.exe
1720	MsiExec.exe

pid	process
2348	powershell.exe

pid	process
2348	powershell.exe
1152	msiexec.exe
1152	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1952 msiexec.exe
1952 msiexec.exe

pid	process
1952	msiexec.exe
1952	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 1720	1152	msiexec.exe	MsiExec.exe
PID 1720 wrote to memory of 2348	1720	MsiExec.exe	powershell.exe
PID 1720 wrote to memory of 2348	1720	MsiExec.exe	powershell.exe
PID 1720 wrote to memory of 2348	1720	MsiExec.exe	powershell.exe
PID 1720 wrote to memory of 2348	1720	MsiExec.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F35271BB20CF2755C9220ED0177DA85F
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss26B6.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi26B3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr26B4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr26B5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7620ae.rbs

Filesize
18KB

MD5
c19b9a066e1aab4194935d1acd707d59

SHA1
1d482ba462c953a64956c2c9698f3b25ac692915

SHA256
3f40b6a94f0f2eb627b910148ea40ce998701f4681860853e7ffb9783cd2bd19

SHA512
877568c44c0d7b76656f91be458ad2eccf1be7d11f27df474a55f8d0dd5da9402d9a44c11a7f55565bb6a8939a414cfcac78b7f9b291ed27686c9de19b0e1bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0802d63afb4d29318e47c440c3e579c1

SHA1
0ffe7ab8d9d69de298efa605c9a9049f8e5d0228

SHA256
7e42e8b4b31eed2cc19e1645c13844da0ade62895b25b7e598cf4bfcccf6cda7

SHA512
81e9946f02c703c0fd0cc71fe937565a1b9a336a5360278ea749bdbe806cb025c9c8489ad1f7074858a5fe50b8c52f29195a9bac5d246df4a3b83b30f46d5c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
0191c0eb901eb372c5681946ac0d8971

SHA1
a53ba2c4aeac9c469685ea6adbade8c70cb392d5

SHA256
290e2b9ada7f531ae0c7aeb6823dbc6ef9fafef00f0284128407564f9f923f17

SHA512
511f7d2f2665959750dc90533b660b01876dca7dc7bbe0568b4c28cd8ceec5ea4f8aa6410e4e500897b4672e3a27c03d5efa9db05346008c65888e22c108a8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DEE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E01.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi26B3.txt

Filesize
54B

MD5
db420131f396adc6189eb74ccab4ef61

SHA1
f7a0653289e00ae8a37836e4bb0c484a5434f4db

SHA256
20712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22

SHA512
8f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss26B6.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr26B4.ps1

Filesize
552B

MD5
28092a78f6d43ad61f2750b30c1bc806

SHA1
e156c50e96ee75dd9ae92b9690e32cd4e941d4e4

SHA256
3177bc9b9c760da0ebb5c84b8cabafc7fcc42aadadb25a2ab218feb27da72657

SHA512
08cc1750e8ba5061f2ba495712c3482510ddd19c2a50828217149d5fcf3170df1d309cef2d8bee8e334a77587fc3afaed7e0fc73e85020f2b671e70d0981814e

Download Submit
C:\Users\Admin\AppData\Roaming\Tyzoc Viqbi\AppIvl\libpcre-1.dll

Filesize
891KB

MD5
573d5edbf18f37e65445ea4f076bc087

SHA1
218148a8b9bc7e3d431dac638d63e7abdf9b1f31

SHA256
61390b92e203b65e0a2a856c38931a0e0250f2755ee99f240affb94d90ddd283

SHA512
c3436deaa132de1e1b6e283cc445fa55a0317d6874ea7d59e22ecae1b4678959e394dc999ab19168054d2f7e8f652e7d9a021bfbfafcc577fa1c0bbdcea75393

Download Submit
C:\Windows\Installer\MSI2480.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI2657.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\f7620aa.msi

Filesize
35.1MB

MD5
b07dee479dd11163d584db2aa86e9c45

SHA1
2394974e832831f0c9a3e38fe3706cf7e2c2fa94

SHA256
9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984

SHA512
597268d6a37f9edaf45d10e97b7e23fa5da2f8c2b1af58921474f1b2bc87e79e323870153df34a488761c1475f531d2fa1b4c7fc86723a95c629713a5946a421

Download Submit