52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HomeDesk.msi
Size

22.5MB
MD5

3e541108bd65df0d1127e15711da911a
SHA1

eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1
SHA256

52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234
SHA512

e81c969f96b522c4925bd18a474afcf3425c32aeb4222018629d06d275011e5f75225420a664b890ba6abb5c6779e801b868153323be2a6f3d4a4671e9d68c6c
SSDEEP

393216:wfwpJKaB9QEyLiZWGGpNmUwXTGH8L6O5oBvM18+fQuQY68WR3tgFJHciJ:QR5+ZlxUKTOO5sA8mQiB63iHrJ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\Nota Fiscal Eletronica\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e574d39.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4ECF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5028.tmp	msiexec.exe
File created	C:\Windows\Installer\e574d35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574d35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E9F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1232	LKdayanJELT9QDD900055.exe

Loads dropped DLL 6 IoCs

pid	Process
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
1232	LKdayanJELT9QDD900055.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
668	msiexec.exe
668	msiexec.exe
1232	LKdayanJELT9QDD900055.exe
1232	LKdayanJELT9QDD900055.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	724	msiexec.exe
Token: SeSecurityPrivilege	668	msiexec.exe
Token: SeCreateTokenPrivilege	724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	724	msiexec.exe
Token: SeLockMemoryPrivilege	724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	724	msiexec.exe
Token: SeMachineAccountPrivilege	724	msiexec.exe
Token: SeTcbPrivilege	724	msiexec.exe
Token: SeSecurityPrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeLoadDriverPrivilege	724	msiexec.exe
Token: SeSystemProfilePrivilege	724	msiexec.exe
Token: SeSystemtimePrivilege	724	msiexec.exe
Token: SeProfSingleProcessPrivilege	724	msiexec.exe
Token: SeIncBasePriorityPrivilege	724	msiexec.exe
Token: SeCreatePagefilePrivilege	724	msiexec.exe
Token: SeCreatePermanentPrivilege	724	msiexec.exe
Token: SeBackupPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeShutdownPrivilege	724	msiexec.exe
Token: SeDebugPrivilege	724	msiexec.exe
Token: SeAuditPrivilege	724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	724	msiexec.exe
Token: SeChangeNotifyPrivilege	724	msiexec.exe
Token: SeRemoteShutdownPrivilege	724	msiexec.exe
Token: SeUndockPrivilege	724	msiexec.exe
Token: SeSyncAgentPrivilege	724	msiexec.exe
Token: SeEnableDelegationPrivilege	724	msiexec.exe
Token: SeManageVolumePrivilege	724	msiexec.exe
Token: SeImpersonatePrivilege	724	msiexec.exe
Token: SeCreateGlobalPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe
Token: SeRestorePrivilege	668	msiexec.exe
Token: SeTakeOwnershipPrivilege	668	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
724	msiexec.exe
724	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 408	668	msiexec.exe	87
PID 668 wrote to memory of 408	668	msiexec.exe	87
PID 668 wrote to memory of 408	668	msiexec.exe	87
PID 668 wrote to memory of 1232	668	msiexec.exe	91
PID 668 wrote to memory of 1232	668	msiexec.exe	91
PID 668 wrote to memory of 1232	668	msiexec.exe	91

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 19CE3C4938A3E65E5B438780B9A6F867
  2⤵
  - Loads dropped DLL
  PID:408
- C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe
  "C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574d38.rbs

Filesize
18KB

MD5
69320eb5866eaf0da26ecd34c7f221d2

SHA1
9c3a4789565224e6d647c9a77fa92d348413ff49

SHA256
c3a62432227f831f6e01c3842936aaa3f38e817bbe399a300ff3be53430201f2

SHA512
a639db31ad6451ff0dc0b6dc712b27fb36f576913ea592cab1654721b0aedf13c9a6e56f8131aed2380ccf82424cd67778c1c1cfb664e7c1907547db5089f13e

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\AGLoader.dll

Filesize
10.6MB

MD5
eb77a874abbd9ba3dafa46cf1b7ff686

SHA1
445f040a12bada9f7cc1b5791551adae4aaa382f

SHA256
9f2281df855c4cd8a66591a7328da0c73860bea35e89ad01dd0a80c207520815

SHA512
07c3ef5ed8d43db61c1a585cc716a1e348cf9329b56bfdffc02c58373e7e3f84b8f495d08f74da9e08e3af8e8288dace2f1216b13e7e61cbaf23f63dedfbf574

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\Nota Fiscal Eletronica\volume.dat

Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\MSI4DB2.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Windows\Installer\e574d35.msi

Filesize
22.5MB

MD5
3e541108bd65df0d1127e15711da911a

SHA1
eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1

SHA256
52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234

SHA512
e81c969f96b522c4925bd18a474afcf3425c32aeb4222018629d06d275011e5f75225420a664b890ba6abb5c6779e801b868153323be2a6f3d4a4671e9d68c6c

Download Submit
memory/1232-160-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1232-163-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1232-162-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1232-161-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1232-164-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1232-165-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1232-166-0x0000000072A70000-0x0000000073BED000-memory.dmp

Filesize
17.5MB

Download
memory/1232-159-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download