10af3efd0851093bbfc56aa03ba7d2bc28c500f2ebdea01292d591d377c459de

General

Target

HomeDesk.msi
Size

19.5MB
MD5

a6c23b2846b76a423eef4a5cf25e834f
SHA1

bef30ddb5e74e5078847b1f9dfef573f82f63c26
SHA256

d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
SHA512

d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
SSDEEP

393216:dvEwpJKaB9QEyLiZWGGpNmOQ+Ji5FEFhJfnRx96dOuMNIKMgTl:doR5+ZlxODJiONncg6KMgJ

Score

10^/10

banker persistence

Malware Config

Signatures

Detects common strings, DLL and API in Banker_BR 1 IoCs

Hunting by known PDB files - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Windows\Installer\f761d8f.msi	Detect_MSI_LATAM_Banker_From_LatAm

Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs

Hunting by known EXPORT - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Users\Admin\HomeDesk\AGLoader.dll	Detect_Suspicious_Export_PE_Banker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LKdayanJELT9QDD900055.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\HomeDesk\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f761d92.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f761d8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F65.tmp	msiexec.exe
File created	C:\Windows\Installer\f761d92.ipi	msiexec.exe
File created	C:\Windows\Installer\f761d94.msi	msiexec.exe
File created	C:\Windows\Installer\f761d8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI212A.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

1596 LKdayanJELT9QDD900055.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeLKdayanJELT9QDD900055.exe

pid process

2664 MsiExec.exe
2664 MsiExec.exe
2664 MsiExec.exe
1596 LKdayanJELT9QDD900055.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exeLKdayanJELT9QDD900055.exe

pid process

2480 msiexec.exe
2480 msiexec.exe
1596 LKdayanJELT9QDD900055.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

1596 LKdayanJELT9QDD900055.exe

pid	process
1596	LKdayanJELT9QDD900055.exe

pid	process
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
1596	LKdayanJELT9QDD900055.exe

pid	process
2480	msiexec.exe
2480	msiexec.exe
1596	LKdayanJELT9QDD900055.exe

pid	process
1596	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeCreateTokenPrivilege	1676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1676	msiexec.exe
Token: SeLockMemoryPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeMachineAccountPrivilege	1676	msiexec.exe
Token: SeTcbPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	1676	msiexec.exe
Token: SeTakeOwnershipPrivilege	1676	msiexec.exe
Token: SeLoadDriverPrivilege	1676	msiexec.exe
Token: SeSystemProfilePrivilege	1676	msiexec.exe
Token: SeSystemtimePrivilege	1676	msiexec.exe
Token: SeProfSingleProcessPrivilege	1676	msiexec.exe
Token: SeIncBasePriorityPrivilege	1676	msiexec.exe
Token: SeCreatePagefilePrivilege	1676	msiexec.exe
Token: SeCreatePermanentPrivilege	1676	msiexec.exe
Token: SeBackupPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	1676	msiexec.exe
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeAuditPrivilege	1676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1676	msiexec.exe
Token: SeChangeNotifyPrivilege	1676	msiexec.exe
Token: SeRemoteShutdownPrivilege	1676	msiexec.exe
Token: SeUndockPrivilege	1676	msiexec.exe
Token: SeSyncAgentPrivilege	1676	msiexec.exe
Token: SeEnableDelegationPrivilege	1676	msiexec.exe
Token: SeManageVolumePrivilege	1676	msiexec.exe
Token: SeImpersonatePrivilege	1676	msiexec.exe
Token: SeCreateGlobalPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1676 msiexec.exe
1676 msiexec.exe

pid	process
1676	msiexec.exe
1676	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 2664	2480	msiexec.exe	MsiExec.exe
PID 2480 wrote to memory of 1596	2480	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2480 wrote to memory of 1596	2480	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2480 wrote to memory of 1596	2480	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2480 wrote to memory of 1596	2480	msiexec.exe	LKdayanJELT9QDD900055.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C152FCC0B603FC0027F85F2754AD7102
2⤵
- Loads dropped DLL
PID:2664

C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe
"C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f761d93.rbs
Filesize
15KB

MD5
f304206e88f22beacf11fe66cfc9061b

SHA1
7a251c2d73d5f1e13bda38c615908f16c49e8330

SHA256
80e3582e53137f462fc51f567ed4ea74bbc92fa5cd8b6ae0d3e12cb1b9146c9e

SHA512
3ea4d912453f21b9fa721f64249c27fa46248ccaab53b430b409c312816e908032b554b5399c107471c5cc9919995e185147dad49149f57b20956888e416d360

Download Submit
C:\Users\Admin\HomeDesk\AGLoader.dll
Filesize
7.4MB

MD5
2921523030345673a00953df828679e0

SHA1
bc6e603a9b3acb91f4a0c0ce3a6d032785c2e2ea

SHA256
120facb1726fcffeeb2de1d2be98a421823b0d06baec1763cb6c33cffa79b001

SHA512
0612580d856fbeb41c81dbcb08aef1f5fe3bf0744ef0f2f8ee6423fe4cc9f5e25852eb8150dcc439bd74d8e5a73f17f6e7a9f67cade691d57056c0e25c55f888

Download Submit
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe
Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\HomeDesk\volume.dat
Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\f761d8f.msi
Filesize
19.5MB

MD5
a6c23b2846b76a423eef4a5cf25e834f

SHA1
bef30ddb5e74e5078847b1f9dfef573f82f63c26

SHA256
d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f

SHA512
d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf

Download Submit
\Windows\Installer\MSI1E3A.tmp
Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
memory/1596-164-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1596-172-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1596-155-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1596-157-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1596-159-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1596-162-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1596-150-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1596-160-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1596-167-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1596-154-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1596-169-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1596-179-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1596-177-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1596-174-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1596-182-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1596-184-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1596-185-0x0000000073530000-0x00000000741BF000-memory.dmp

Filesize
12.6MB

Download
memory/1596-152-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads