31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a

General

Target

31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Size

22.5MB
MD5

c2d9c997a03a4d9fe786f484e2a720c8
SHA1

727f6b71a79e57008799dd25616af036d58d9e93
SHA256

31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
SHA512

a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
SSDEEP

393216:rfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:DR5+ZlxUKTOO5sA8mQiB63iHrJ

Score

10^/10

banker persistence

Malware Config

Signatures

Detects common strings, DLL and API in Banker_BR 1 IoCs

Hunting by known PDB files - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Windows\Installer\e575822.msi	Detect_MSI_LATAM_Banker_From_LatAm

Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs

Hunting by known EXPORT - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll	Detect_Suspicious_Export_PE_Banker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LKdayanJELT9QDD900055.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e575822.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI595C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e575826.msi	msiexec.exe
File created	C:\Windows\Installer\e575822.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B63.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC}	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

852 LKdayanJELT9QDD900055.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeLKdayanJELT9QDD900055.exe

pid process

1856 MsiExec.exe
1856 MsiExec.exe
1856 MsiExec.exe
1856 MsiExec.exe
1856 MsiExec.exe
852 LKdayanJELT9QDD900055.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeLKdayanJELT9QDD900055.exe

pid process

1564 msiexec.exe
1564 msiexec.exe
852 LKdayanJELT9QDD900055.exe
852 LKdayanJELT9QDD900055.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

852 LKdayanJELT9QDD900055.exe

pid	process
852	LKdayanJELT9QDD900055.exe

pid	process
1856	MsiExec.exe
1856	MsiExec.exe
1856	MsiExec.exe
1856	MsiExec.exe
1856	MsiExec.exe
852	LKdayanJELT9QDD900055.exe

pid	process
1564	msiexec.exe
1564	msiexec.exe
852	LKdayanJELT9QDD900055.exe
852	LKdayanJELT9QDD900055.exe

pid	process
852	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4300	msiexec.exe
Token: SeSecurityPrivilege	1564	msiexec.exe
Token: SeCreateTokenPrivilege	4300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4300	msiexec.exe
Token: SeLockMemoryPrivilege	4300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4300	msiexec.exe
Token: SeMachineAccountPrivilege	4300	msiexec.exe
Token: SeTcbPrivilege	4300	msiexec.exe
Token: SeSecurityPrivilege	4300	msiexec.exe
Token: SeTakeOwnershipPrivilege	4300	msiexec.exe
Token: SeLoadDriverPrivilege	4300	msiexec.exe
Token: SeSystemProfilePrivilege	4300	msiexec.exe
Token: SeSystemtimePrivilege	4300	msiexec.exe
Token: SeProfSingleProcessPrivilege	4300	msiexec.exe
Token: SeIncBasePriorityPrivilege	4300	msiexec.exe
Token: SeCreatePagefilePrivilege	4300	msiexec.exe
Token: SeCreatePermanentPrivilege	4300	msiexec.exe
Token: SeBackupPrivilege	4300	msiexec.exe
Token: SeRestorePrivilege	4300	msiexec.exe
Token: SeShutdownPrivilege	4300	msiexec.exe
Token: SeDebugPrivilege	4300	msiexec.exe
Token: SeAuditPrivilege	4300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4300	msiexec.exe
Token: SeChangeNotifyPrivilege	4300	msiexec.exe
Token: SeRemoteShutdownPrivilege	4300	msiexec.exe
Token: SeUndockPrivilege	4300	msiexec.exe
Token: SeSyncAgentPrivilege	4300	msiexec.exe
Token: SeEnableDelegationPrivilege	4300	msiexec.exe
Token: SeManageVolumePrivilege	4300	msiexec.exe
Token: SeImpersonatePrivilege	4300	msiexec.exe
Token: SeCreateGlobalPrivilege	4300	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4300 msiexec.exe
4300 msiexec.exe

pid	process
4300	msiexec.exe
4300	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1564 wrote to memory of 1856	1564	msiexec.exe	MsiExec.exe
PID 1564 wrote to memory of 1856	1564	msiexec.exe	MsiExec.exe
PID 1564 wrote to memory of 1856	1564	msiexec.exe	MsiExec.exe
PID 1564 wrote to memory of 852	1564	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 1564 wrote to memory of 852	1564	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 1564 wrote to memory of 852	1564	msiexec.exe	LKdayanJELT9QDD900055.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8DF201752CD2CA2DF091655A232914C6
2⤵
- Loads dropped DLL
PID:1856

C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
"C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575825.rbs
Filesize
18KB

MD5
ba58ec66bf04f1deb8937f3c5884dfd2

SHA1
ecb1dfc9772c1b8f5a87692a4eda694aba838063

SHA256
409fdaf8bda401458abf8f66c933eb7906808595d21c7df0078c2188274212cd

SHA512
c11c207b6e3fa5c4d50bf490bfbef27daabbc75d0299c178e36ce061d4733f8212d80dfce440fa8aa3ca4013c2186913c9129fc6487e070b5ed4d846798c57ab

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll
Filesize
10.6MB

MD5
eb77a874abbd9ba3dafa46cf1b7ff686

SHA1
445f040a12bada9f7cc1b5791551adae4aaa382f

SHA256
9f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815

SHA512
07c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\volume.dat
Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\MSI58BF.tmp
Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Windows\Installer\e575822.msi
Filesize
22.5MB

MD5
c2d9c997a03a4d9fe786f484e2a720c8

SHA1
727f6b71a79e57008799dd25616af036d58d9e93

SHA256
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a

SHA512
a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d

Download Submit
memory/852-160-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/852-161-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/852-162-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/852-163-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/852-164-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/852-165-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/852-166-0x0000000072180000-0x00000000732FD000-memory.dmp

Filesize
17.5MB

Download
memory/852-159-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads