Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-es -
resource tags
arch:x64arch:x86image:win7-20240508-eslocale:es-esos:windows7-x64systemwindows -
submitted
24-05-2024 13:04
Behavioral task
behavioral1
Sample
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Resource
win7-20240508-es
Behavioral task
behavioral2
Sample
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Resource
win10v2004-20240508-es
General
-
Target
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
-
Size
22.5MB
-
MD5
c2d9c997a03a4d9fe786f484e2a720c8
-
SHA1
727f6b71a79e57008799dd25616af036d58d9e93
-
SHA256
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
-
SHA512
a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
-
SSDEEP
393216:rfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:DR5+ZlxUKTOO5sA8mQiB63iHrJ
Malware Config
Signatures
-
Detects common strings, DLL and API in Banker_BR 1 IoCs
Hunting by known PDB files - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Windows\Installer\f76275e.msi Detect_MSI_LATAM_Banker_From_LatAm -
Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs
Hunting by known EXPORT - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll Detect_Suspicious_Export_PE_Banker -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LKdayanJELT9QDD900055.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe" LKdayanJELT9QDD900055.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f762761.ipi msiexec.exe File created C:\Windows\Installer\f762763.msi msiexec.exe File opened for modification C:\Windows\Installer\f762761.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76275e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2878.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI28B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A5E.tmp msiexec.exe File created C:\Windows\Installer\f76275e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI27DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 2036 LKdayanJELT9QDD900055.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeLKdayanJELT9QDD900055.exepid process 2348 MsiExec.exe 2348 MsiExec.exe 2348 MsiExec.exe 2036 LKdayanJELT9QDD900055.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeLKdayanJELT9QDD900055.exepid process 1700 msiexec.exe 1700 msiexec.exe 2036 LKdayanJELT9QDD900055.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 2036 LKdayanJELT9QDD900055.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2428 msiexec.exe Token: SeIncreaseQuotaPrivilege 2428 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeCreateTokenPrivilege 2428 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2428 msiexec.exe Token: SeLockMemoryPrivilege 2428 msiexec.exe Token: SeIncreaseQuotaPrivilege 2428 msiexec.exe Token: SeMachineAccountPrivilege 2428 msiexec.exe Token: SeTcbPrivilege 2428 msiexec.exe Token: SeSecurityPrivilege 2428 msiexec.exe Token: SeTakeOwnershipPrivilege 2428 msiexec.exe Token: SeLoadDriverPrivilege 2428 msiexec.exe Token: SeSystemProfilePrivilege 2428 msiexec.exe Token: SeSystemtimePrivilege 2428 msiexec.exe Token: SeProfSingleProcessPrivilege 2428 msiexec.exe Token: SeIncBasePriorityPrivilege 2428 msiexec.exe Token: SeCreatePagefilePrivilege 2428 msiexec.exe Token: SeCreatePermanentPrivilege 2428 msiexec.exe Token: SeBackupPrivilege 2428 msiexec.exe Token: SeRestorePrivilege 2428 msiexec.exe Token: SeShutdownPrivilege 2428 msiexec.exe Token: SeDebugPrivilege 2428 msiexec.exe Token: SeAuditPrivilege 2428 msiexec.exe Token: SeSystemEnvironmentPrivilege 2428 msiexec.exe Token: SeChangeNotifyPrivilege 2428 msiexec.exe Token: SeRemoteShutdownPrivilege 2428 msiexec.exe Token: SeUndockPrivilege 2428 msiexec.exe Token: SeSyncAgentPrivilege 2428 msiexec.exe Token: SeEnableDelegationPrivilege 2428 msiexec.exe Token: SeManageVolumePrivilege 2428 msiexec.exe Token: SeImpersonatePrivilege 2428 msiexec.exe Token: SeCreateGlobalPrivilege 2428 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2428 msiexec.exe 2428 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2348 1700 msiexec.exe MsiExec.exe PID 1700 wrote to memory of 2036 1700 msiexec.exe LKdayanJELT9QDD900055.exe PID 1700 wrote to memory of 2036 1700 msiexec.exe LKdayanJELT9QDD900055.exe PID 1700 wrote to memory of 2036 1700 msiexec.exe LKdayanJELT9QDD900055.exe PID 1700 wrote to memory of 2036 1700 msiexec.exe LKdayanJELT9QDD900055.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7D0E630E3156B7209F8C9CDC868B27F82⤵
- Loads dropped DLL
-
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f762762.rbsFilesize
17KB
MD5bda68407e4c3de35fca3db425e0cb808
SHA165a01dc84d3d13db45326f6fe114600a1fca8587
SHA256f08353e6ce3e38c05203f5822987801c22a6daa00021263f8d19e03db36612ac
SHA5127cb7175d0be49c4405ed27bf4b901611dc75b0c8c5ea61b5e4fae6099be19308fb906b3cdba667f961efe502369bb3bd0d97766cf3e9deb898419f8bc70c8993
-
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dllFilesize
10.6MB
MD5eb77a874abbd9ba3dafa46cf1b7ff686
SHA1445f040a12bada9f7cc1b5791551adae4aaa382f
SHA2569f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815
SHA51207c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574
-
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exeFilesize
289KB
MD5eb67273c54e78db4faffab9001148753
SHA10e6cab2fdf666e53c994718477068e51b656e078
SHA2567fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd
SHA5128fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07
-
C:\Users\Admin\Nota Fiscal Eletronica\volume.datFilesize
3.7MB
MD577de03a0a71f4bad680c0442086fcc3e
SHA1f3732edd5d446d89a99f17f81be1736bc9ece856
SHA256259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb
SHA512398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0
-
C:\Windows\Installer\f76275e.msiFilesize
22.5MB
MD5c2d9c997a03a4d9fe786f484e2a720c8
SHA1727f6b71a79e57008799dd25616af036d58d9e93
SHA25631de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
SHA512a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
-
\Windows\Installer\MSI27DB.tmpFilesize
587KB
MD5cadbcf6f5a0199ecc0220ce23a860d89
SHA1073c149d68916520aea882e588ab9a5ae083d75a
SHA25642ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0
SHA512cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc
-
memory/2036-162-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2036-169-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2036-159-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2036-157-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2036-155-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2036-164-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2036-154-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2036-160-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2036-167-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2036-152-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2036-172-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2036-174-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2036-177-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2036-179-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2036-182-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2036-184-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2036-185-0x0000000072310000-0x000000007348D000-memory.dmpFilesize
17.5MB
-
memory/2036-150-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB