Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240215-es -
resource tags
arch:x64arch:x86image:win7-20240215-eslocale:es-esos:windows7-x64systemwindows -
submitted
24-05-2024 14:42
Behavioral task
behavioral1
Sample
HomeDesk.msi
Resource
win7-20240215-es
Behavioral task
behavioral2
Sample
HomeDesk.msi
Resource
win10v2004-20240226-es
General
-
Target
HomeDesk.msi
-
Size
19.5MB
-
MD5
a6c23b2846b76a423eef4a5cf25e834f
-
SHA1
bef30ddb5e74e5078847b1f9dfef573f82f63c26
-
SHA256
d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
-
SHA512
d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
-
SSDEEP
393216:dvEwpJKaB9QEyLiZWGGpNmOQ+Ji5FEFhJfnRx96dOuMNIKMgTl:doR5+ZlxODJiONncg6KMgJ
Malware Config
Signatures
-
Detects common strings, DLL and API in Banker_BR 1 IoCs
Hunting by known PDB files - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Windows\Installer\f761d8f.msi Detect_MSI_LATAM_Banker_From_LatAm -
Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs
Hunting by known EXPORT - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Users\Admin\HomeDesk\AGLoader.dll Detect_Suspicious_Export_PE_Banker -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LKdayanJELT9QDD900055.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\HomeDesk\\LKdayanJELT9QDD900055.exe" LKdayanJELT9QDD900055.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f761d92.ipi msiexec.exe File opened for modification C:\Windows\Installer\f761d8f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1F16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1F65.tmp msiexec.exe File created C:\Windows\Installer\f761d92.ipi msiexec.exe File created C:\Windows\Installer\f761d94.msi msiexec.exe File created C:\Windows\Installer\f761d8f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1E3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI212A.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 1596 LKdayanJELT9QDD900055.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeLKdayanJELT9QDD900055.exepid process 2664 MsiExec.exe 2664 MsiExec.exe 2664 MsiExec.exe 1596 LKdayanJELT9QDD900055.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeLKdayanJELT9QDD900055.exepid process 2480 msiexec.exe 2480 msiexec.exe 1596 LKdayanJELT9QDD900055.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 1596 LKdayanJELT9QDD900055.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1676 msiexec.exe Token: SeIncreaseQuotaPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeSecurityPrivilege 2480 msiexec.exe Token: SeCreateTokenPrivilege 1676 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1676 msiexec.exe Token: SeLockMemoryPrivilege 1676 msiexec.exe Token: SeIncreaseQuotaPrivilege 1676 msiexec.exe Token: SeMachineAccountPrivilege 1676 msiexec.exe Token: SeTcbPrivilege 1676 msiexec.exe Token: SeSecurityPrivilege 1676 msiexec.exe Token: SeTakeOwnershipPrivilege 1676 msiexec.exe Token: SeLoadDriverPrivilege 1676 msiexec.exe Token: SeSystemProfilePrivilege 1676 msiexec.exe Token: SeSystemtimePrivilege 1676 msiexec.exe Token: SeProfSingleProcessPrivilege 1676 msiexec.exe Token: SeIncBasePriorityPrivilege 1676 msiexec.exe Token: SeCreatePagefilePrivilege 1676 msiexec.exe Token: SeCreatePermanentPrivilege 1676 msiexec.exe Token: SeBackupPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 1676 msiexec.exe Token: SeShutdownPrivilege 1676 msiexec.exe Token: SeDebugPrivilege 1676 msiexec.exe Token: SeAuditPrivilege 1676 msiexec.exe Token: SeSystemEnvironmentPrivilege 1676 msiexec.exe Token: SeChangeNotifyPrivilege 1676 msiexec.exe Token: SeRemoteShutdownPrivilege 1676 msiexec.exe Token: SeUndockPrivilege 1676 msiexec.exe Token: SeSyncAgentPrivilege 1676 msiexec.exe Token: SeEnableDelegationPrivilege 1676 msiexec.exe Token: SeManageVolumePrivilege 1676 msiexec.exe Token: SeImpersonatePrivilege 1676 msiexec.exe Token: SeCreateGlobalPrivilege 1676 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe Token: SeRestorePrivilege 2480 msiexec.exe Token: SeTakeOwnershipPrivilege 2480 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1676 msiexec.exe 1676 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exedescription pid process target process PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 2664 2480 msiexec.exe MsiExec.exe PID 2480 wrote to memory of 1596 2480 msiexec.exe LKdayanJELT9QDD900055.exe PID 2480 wrote to memory of 1596 2480 msiexec.exe LKdayanJELT9QDD900055.exe PID 2480 wrote to memory of 1596 2480 msiexec.exe LKdayanJELT9QDD900055.exe PID 2480 wrote to memory of 1596 2480 msiexec.exe LKdayanJELT9QDD900055.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C152FCC0B603FC0027F85F2754AD71022⤵
- Loads dropped DLL
-
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f761d93.rbsFilesize
15KB
MD5f304206e88f22beacf11fe66cfc9061b
SHA17a251c2d73d5f1e13bda38c615908f16c49e8330
SHA25680e3582e53137f462fc51f567ed4ea74bbc92fa5cd8b6ae0d3e12cb1b9146c9e
SHA5123ea4d912453f21b9fa721f64249c27fa46248ccaab53b430b409c312816e908032b554b5399c107471c5cc9919995e185147dad49149f57b20956888e416d360
-
C:\Users\Admin\HomeDesk\AGLoader.dllFilesize
7.4MB
MD52921523030345673a00953df828679e0
SHA1bc6e603a9b3acb91f4a0c0ce3a6d032785c2e2ea
SHA256120facb1726fcffeeb2de1d2be98a421823b0d06baec1763cb6c33cffa79b001
SHA5120612580d856fbeb41c81dbcb08aef1f5fe3bf0744ef0f2f8ee6423fe4cc9f5e25852eb8150dcc439bd74d8e5a73f17f6e7a9f67cade691d57056c0e25c55f888
-
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exeFilesize
289KB
MD5eb67273c54e78db4faffab9001148753
SHA10e6cab2fdf666e53c994718477068e51b656e078
SHA2567fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd
SHA5128fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07
-
C:\Users\Admin\HomeDesk\volume.datFilesize
3.7MB
MD577de03a0a71f4bad680c0442086fcc3e
SHA1f3732edd5d446d89a99f17f81be1736bc9ece856
SHA256259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb
SHA512398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0
-
C:\Windows\Installer\f761d8f.msiFilesize
19.5MB
MD5a6c23b2846b76a423eef4a5cf25e834f
SHA1bef30ddb5e74e5078847b1f9dfef573f82f63c26
SHA256d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
SHA512d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
-
\Windows\Installer\MSI1E3A.tmpFilesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
memory/1596-164-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1596-172-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1596-155-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1596-157-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1596-159-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1596-162-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1596-150-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1596-160-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1596-167-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1596-154-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1596-169-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1596-179-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1596-177-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1596-174-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1596-182-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1596-184-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1596-185-0x0000000073530000-0x00000000741BF000-memory.dmpFilesize
12.6MB
-
memory/1596-152-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB