52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HomeDesk.msi
Size

22.5MB
MD5

3e541108bd65df0d1127e15711da911a
SHA1

eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1
SHA256

52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234
SHA512

e81c969f96b522c4925bd18a474afcf3425c32aeb4222018629d06d275011e5f75225420a664b890ba6abb5c6779e801b868153323be2a6f3d4a4671e9d68c6c
SSDEEP

393216:wfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:QR5+ZlxUKTOO5sA8mQiB63iHrJ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f762520.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76251d.msi	msiexec.exe
File created	C:\Windows\Installer\f762520.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI278F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f762522.msi	msiexec.exe
File created	C:\Windows\Installer\f76251d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI255C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2731.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	LKdayanJELT9QDD900055.exe

Loads dropped DLL 4 IoCs

pid	Process
2072	MsiExec.exe
2072	MsiExec.exe
2072	MsiExec.exe
2692	LKdayanJELT9QDD900055.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2088	msiexec.exe
2088	msiexec.exe
2692	LKdayanJELT9QDD900055.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeCreateTokenPrivilege	2104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2104	msiexec.exe
Token: SeLockMemoryPrivilege	2104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2104	msiexec.exe
Token: SeMachineAccountPrivilege	2104	msiexec.exe
Token: SeTcbPrivilege	2104	msiexec.exe
Token: SeSecurityPrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeLoadDriverPrivilege	2104	msiexec.exe
Token: SeSystemProfilePrivilege	2104	msiexec.exe
Token: SeSystemtimePrivilege	2104	msiexec.exe
Token: SeProfSingleProcessPrivilege	2104	msiexec.exe
Token: SeIncBasePriorityPrivilege	2104	msiexec.exe
Token: SeCreatePagefilePrivilege	2104	msiexec.exe
Token: SeCreatePermanentPrivilege	2104	msiexec.exe
Token: SeBackupPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeShutdownPrivilege	2104	msiexec.exe
Token: SeDebugPrivilege	2104	msiexec.exe
Token: SeAuditPrivilege	2104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2104	msiexec.exe
Token: SeChangeNotifyPrivilege	2104	msiexec.exe
Token: SeRemoteShutdownPrivilege	2104	msiexec.exe
Token: SeUndockPrivilege	2104	msiexec.exe
Token: SeSyncAgentPrivilege	2104	msiexec.exe
Token: SeEnableDelegationPrivilege	2104	msiexec.exe
Token: SeManageVolumePrivilege	2104	msiexec.exe
Token: SeImpersonatePrivilege	2104	msiexec.exe
Token: SeCreateGlobalPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2104	msiexec.exe
2104	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2072	2088	msiexec.exe	29
PID 2088 wrote to memory of 2692	2088	msiexec.exe	30
PID 2088 wrote to memory of 2692	2088	msiexec.exe	30
PID 2088 wrote to memory of 2692	2088	msiexec.exe	30
PID 2088 wrote to memory of 2692	2088	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 910EE927B157F3F4DC00D0C1B242C749
  2⤵
  - Loads dropped DLL
  PID:2072
- C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
  "C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762521.rbs

Filesize
17KB

MD5
11c9f3792450c3c8f63f087179798407

SHA1
2ce4e066296e94c61a1af752e4f4675e931f5fbf

SHA256
5b53f8b4569440f6fe636fb11262c6c9c9ac2d32d0e7a15a8c268d2a7224be80

SHA512
6774f9cd547c60ec169708ef0ef968f7ec1ab8e2fc9d0ffe5c3060e76b71933f129989f4d9264fa079f37bf93d0278a1ffd477bf4d9f860183854d369c1b6b09

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll

Filesize
10.6MB

MD5
eb77a874abbd9ba3dafa46cf1b7ff686

SHA1
445f040a12bada9f7cc1b5791551adae4aaa382f

SHA256
9f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815

SHA512
07c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\volume.dat

Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\f76251d.msi

Filesize
22.5MB

MD5
3e541108bd65df0d1127e15711da911a

SHA1
eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1

SHA256
52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234

SHA512
e81c969f96b522c4925bd18a474afcf3425c32aeb4222018629d06d275011e5f75225420a664b890ba6abb5c6779e801b868153323be2a6f3d4a4671e9d68c6c

Download Submit
\Windows\Installer\MSI255C.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
memory/2692-162-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2692-167-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2692-155-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2692-157-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2692-159-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2692-160-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2692-152-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2692-164-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2692-169-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2692-154-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2692-179-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2692-177-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2692-174-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-172-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-184-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2692-182-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2692-185-0x0000000073020000-0x000000007419D000-memory.dmp

Filesize
17.5MB

Download
memory/2692-150-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download