Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-es -
resource tags
arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
24-05-2024 13:04
Behavioral task
behavioral1
Sample
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Resource
win7-20240508-es
Behavioral task
behavioral2
Sample
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
Resource
win10v2004-20240508-es
General
-
Target
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi
-
Size
22.5MB
-
MD5
c2d9c997a03a4d9fe786f484e2a720c8
-
SHA1
727f6b71a79e57008799dd25616af036d58d9e93
-
SHA256
31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
-
SHA512
a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
-
SSDEEP
393216:rfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:DR5+ZlxUKTOO5sA8mQiB63iHrJ
Malware Config
Signatures
-
Detects common strings, DLL and API in Banker_BR 1 IoCs
Hunting by known PDB files - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Windows\Installer\e575822.msi Detect_MSI_LATAM_Banker_From_LatAm -
Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs
Hunting by known EXPORT - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll Detect_Suspicious_Export_PE_Banker -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LKdayanJELT9QDD900055.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe" LKdayanJELT9QDD900055.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e575822.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI58BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI595C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e575826.msi msiexec.exe File created C:\Windows\Installer\e575822.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI59E9.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5A0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5B63.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC} msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 852 LKdayanJELT9QDD900055.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeLKdayanJELT9QDD900055.exepid process 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 852 LKdayanJELT9QDD900055.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exeLKdayanJELT9QDD900055.exepid process 1564 msiexec.exe 1564 msiexec.exe 852 LKdayanJELT9QDD900055.exe 852 LKdayanJELT9QDD900055.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 852 LKdayanJELT9QDD900055.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4300 msiexec.exe Token: SeIncreaseQuotaPrivilege 4300 msiexec.exe Token: SeSecurityPrivilege 1564 msiexec.exe Token: SeCreateTokenPrivilege 4300 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4300 msiexec.exe Token: SeLockMemoryPrivilege 4300 msiexec.exe Token: SeIncreaseQuotaPrivilege 4300 msiexec.exe Token: SeMachineAccountPrivilege 4300 msiexec.exe Token: SeTcbPrivilege 4300 msiexec.exe Token: SeSecurityPrivilege 4300 msiexec.exe Token: SeTakeOwnershipPrivilege 4300 msiexec.exe Token: SeLoadDriverPrivilege 4300 msiexec.exe Token: SeSystemProfilePrivilege 4300 msiexec.exe Token: SeSystemtimePrivilege 4300 msiexec.exe Token: SeProfSingleProcessPrivilege 4300 msiexec.exe Token: SeIncBasePriorityPrivilege 4300 msiexec.exe Token: SeCreatePagefilePrivilege 4300 msiexec.exe Token: SeCreatePermanentPrivilege 4300 msiexec.exe Token: SeBackupPrivilege 4300 msiexec.exe Token: SeRestorePrivilege 4300 msiexec.exe Token: SeShutdownPrivilege 4300 msiexec.exe Token: SeDebugPrivilege 4300 msiexec.exe Token: SeAuditPrivilege 4300 msiexec.exe Token: SeSystemEnvironmentPrivilege 4300 msiexec.exe Token: SeChangeNotifyPrivilege 4300 msiexec.exe Token: SeRemoteShutdownPrivilege 4300 msiexec.exe Token: SeUndockPrivilege 4300 msiexec.exe Token: SeSyncAgentPrivilege 4300 msiexec.exe Token: SeEnableDelegationPrivilege 4300 msiexec.exe Token: SeManageVolumePrivilege 4300 msiexec.exe Token: SeImpersonatePrivilege 4300 msiexec.exe Token: SeCreateGlobalPrivilege 4300 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe Token: SeRestorePrivilege 1564 msiexec.exe Token: SeTakeOwnershipPrivilege 1564 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4300 msiexec.exe 4300 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
msiexec.exedescription pid process target process PID 1564 wrote to memory of 1856 1564 msiexec.exe MsiExec.exe PID 1564 wrote to memory of 1856 1564 msiexec.exe MsiExec.exe PID 1564 wrote to memory of 1856 1564 msiexec.exe MsiExec.exe PID 1564 wrote to memory of 852 1564 msiexec.exe LKdayanJELT9QDD900055.exe PID 1564 wrote to memory of 852 1564 msiexec.exe LKdayanJELT9QDD900055.exe PID 1564 wrote to memory of 852 1564 msiexec.exe LKdayanJELT9QDD900055.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8DF201752CD2CA2DF091655A232914C62⤵
- Loads dropped DLL
-
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e575825.rbsFilesize
18KB
MD5ba58ec66bf04f1deb8937f3c5884dfd2
SHA1ecb1dfc9772c1b8f5a87692a4eda694aba838063
SHA256409fdaf8bda401458abf8f66c933eb7906808595d21c7df0078c2188274212cd
SHA512c11c207b6e3fa5c4d50bf490bfbef27daabbc75d0299c178e36ce061d4733f8212d80dfce440fa8aa3ca4013c2186913c9129fc6487e070b5ed4d846798c57ab
-
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dllFilesize
10.6MB
MD5eb77a874abbd9ba3dafa46cf1b7ff686
SHA1445f040a12bada9f7cc1b5791551adae4aaa382f
SHA2569f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815
SHA51207c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574
-
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exeFilesize
289KB
MD5eb67273c54e78db4faffab9001148753
SHA10e6cab2fdf666e53c994718477068e51b656e078
SHA2567fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd
SHA5128fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07
-
C:\Users\Admin\Nota Fiscal Eletronica\volume.datFilesize
3.7MB
MD577de03a0a71f4bad680c0442086fcc3e
SHA1f3732edd5d446d89a99f17f81be1736bc9ece856
SHA256259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb
SHA512398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0
-
C:\Windows\Installer\MSI58BF.tmpFilesize
587KB
MD5cadbcf6f5a0199ecc0220ce23a860d89
SHA1073c149d68916520aea882e588ab9a5ae083d75a
SHA25642ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0
SHA512cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc
-
C:\Windows\Installer\e575822.msiFilesize
22.5MB
MD5c2d9c997a03a4d9fe786f484e2a720c8
SHA1727f6b71a79e57008799dd25616af036d58d9e93
SHA25631de1d1f8b809755775ef7064d6dfd2d8433756c82edae8862c84b4b822c4b1a
SHA512a504b4b9278d5daf5b4bbb1b991b8044bb857075bbc6f7f839f7535b04171d18c22fe7c308a51f2dc0e8cf701ecaf7daa18d0e869c7962a51c93bfa26999a96d
-
memory/852-160-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/852-161-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/852-162-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/852-163-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/852-164-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/852-165-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/852-166-0x0000000072180000-0x00000000732FD000-memory.dmpFilesize
17.5MB
-
memory/852-159-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB