31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a

General

Target

31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Size

22.5MB
MD5

c2d9c997a03a4d9fe786f484e2a720c8
SHA1

727f6b71a79e57008799dd25616af036d58d9e93
SHA256

31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
SHA512

a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
SSDEEP

393216:rfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:DR5+ZlxUKTOO5sA8mQiB63iHrJ

Score

10^/10

banker persistence

Malware Config

Signatures

Detects common strings, DLL and API in Banker_BR 1 IoCs

Hunting by known PDB files - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Windows\Installer\f76275e.msi	Detect_MSI_LATAM_Banker_From_LatAm

Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs

Hunting by known EXPORT - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll	Detect_Suspicious_Export_PE_Banker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LKdayanJELT9QDD900055.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f762761.ipi	msiexec.exe
File created	C:\Windows\Installer\f762763.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f762761.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76275e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A5E.tmp	msiexec.exe
File created	C:\Windows\Installer\f76275e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

2036 LKdayanJELT9QDD900055.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeLKdayanJELT9QDD900055.exe

pid process

2348 MsiExec.exe
2348 MsiExec.exe
2348 MsiExec.exe
2036 LKdayanJELT9QDD900055.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exeLKdayanJELT9QDD900055.exe

pid process

1700 msiexec.exe
1700 msiexec.exe
2036 LKdayanJELT9QDD900055.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

2036 LKdayanJELT9QDD900055.exe

pid	process
2036	LKdayanJELT9QDD900055.exe

pid	process
2348	MsiExec.exe
2348	MsiExec.exe
2348	MsiExec.exe
2036	LKdayanJELT9QDD900055.exe

pid	process
1700	msiexec.exe
1700	msiexec.exe
2036	LKdayanJELT9QDD900055.exe

pid	process
2036	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeSecurityPrivilege	1700	msiexec.exe
Token: SeCreateTokenPrivilege	2428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2428	msiexec.exe
Token: SeLockMemoryPrivilege	2428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2428	msiexec.exe
Token: SeMachineAccountPrivilege	2428	msiexec.exe
Token: SeTcbPrivilege	2428	msiexec.exe
Token: SeSecurityPrivilege	2428	msiexec.exe
Token: SeTakeOwnershipPrivilege	2428	msiexec.exe
Token: SeLoadDriverPrivilege	2428	msiexec.exe
Token: SeSystemProfilePrivilege	2428	msiexec.exe
Token: SeSystemtimePrivilege	2428	msiexec.exe
Token: SeProfSingleProcessPrivilege	2428	msiexec.exe
Token: SeIncBasePriorityPrivilege	2428	msiexec.exe
Token: SeCreatePagefilePrivilege	2428	msiexec.exe
Token: SeCreatePermanentPrivilege	2428	msiexec.exe
Token: SeBackupPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	2428	msiexec.exe
Token: SeShutdownPrivilege	2428	msiexec.exe
Token: SeDebugPrivilege	2428	msiexec.exe
Token: SeAuditPrivilege	2428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2428	msiexec.exe
Token: SeChangeNotifyPrivilege	2428	msiexec.exe
Token: SeRemoteShutdownPrivilege	2428	msiexec.exe
Token: SeUndockPrivilege	2428	msiexec.exe
Token: SeSyncAgentPrivilege	2428	msiexec.exe
Token: SeEnableDelegationPrivilege	2428	msiexec.exe
Token: SeManageVolumePrivilege	2428	msiexec.exe
Token: SeImpersonatePrivilege	2428	msiexec.exe
Token: SeCreateGlobalPrivilege	2428	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2428 msiexec.exe
2428 msiexec.exe

pid	process
2428	msiexec.exe
2428	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2348	1700	msiexec.exe	MsiExec.exe
PID 1700 wrote to memory of 2036	1700	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 1700 wrote to memory of 2036	1700	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 1700 wrote to memory of 2036	1700	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 1700 wrote to memory of 2036	1700	msiexec.exe	LKdayanJELT9QDD900055.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D0E630E3156B7209F8C9CDC868B27F8
2⤵
- Loads dropped DLL
PID:2348

C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
"C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762762.rbs
Filesize
17KB

MD5
bda68407e4c3de35fca3db425e0cb808

SHA1
65a01dc84d3d13db45326f6fe114600a1fca8587

SHA256
f08353e6ce3e38c05203f5822987801c22a6daa00021263f8d19e03db36612ac

SHA512
7cb7175d0be49c4405ed27bf4b901611dc75b0c8c5ea61b5e4fae6099be19308fb906b3cdba667f961efe502369bb3bd0d97766cf3e9deb898419f8bc70c8993

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll
Filesize
10.6MB

MD5
eb77a874abbd9ba3dafa46cf1b7ff686

SHA1
445f040a12bada9f7cc1b5791551adae4aaa382f

SHA256
9f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815

SHA512
07c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\volume.dat
Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\f76275e.msi
Filesize
22.5MB

MD5
c2d9c997a03a4d9fe786f484e2a720c8

SHA1
727f6b71a79e57008799dd25616af036d58d9e93

SHA256
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a

SHA512
a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d

Download Submit
\Windows\Installer\MSI27DB.tmp
Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
memory/2036-162-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2036-169-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2036-159-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2036-157-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2036-155-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2036-164-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2036-154-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-160-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2036-167-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2036-152-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2036-172-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2036-174-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2036-177-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2036-179-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2036-182-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2036-184-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2036-185-0x0000000072310000-0x000000007348D000-memory.dmp

Filesize
17.5MB

Download
memory/2036-150-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads