Malware Analysis Report

2025-04-03 10:19

Sample ID 250304-t68x9svwes
Target Finale.EXE
SHA256 ebb05b36566dff60f275b81c277383b13f8f5feffc65c3bab34b2b370c513ded
Tags
latentbot defense_evasion discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebb05b36566dff60f275b81c277383b13f8f5feffc65c3bab34b2b370c513ded

Threat Level: Known bad

The file Finale.EXE was found to be: Known bad.

Malicious Activity Summary

latentbot defense_evasion discovery persistence trojan

LatentBot

Latentbot family

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-04 16:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-04 16:41

Reported

2025-03-04 16:41

Platform

win11-20250217-en

Max time kernel

28s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Finale.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Windows\CurrentVersion\Run\40f1abfeb160a5f5393e777877aaa6e4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Finale.exe" C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 3120 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Finale.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Finale.exe

"C:\Users\Admin\AppData\Local\Temp\Finale.exe"

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lorenzo12321mn5.zapto.org udp
HR 5.59.39.249:7777 lorenzo12321mn5.zapto.org tcp

Files

memory/3120-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

memory/3120-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

memory/3120-2-0x0000000074AB0000-0x0000000075061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft_Corporation\Finale.exe_Url_ufwst4rlqjukh4xkwnln02qokegiwc4j\10.0.17134.1\user.config

MD5 d35ba61c9057a091a15062d619334277
SHA1 94eee59043434861b40b35ac39874f4d829fb9f4
SHA256 fc2f4ba95530b26958ecbdea853d50065ef96882621fc89b2f0058ad894cfac6
SHA512 8bf1a004b588b1586db4c172dca0c1330741b07aad6902e086151b1f4a9ceda8d123b0a597a434db87b2678db2fd82b8352a9087548f6a85d9535e9e478e5f3d

C:\Users\Admin\AppData\Local\Microsoft_Corporation\Finale.exe_Url_ufwst4rlqjukh4xkwnln02qokegiwc4j\10.0.17134.1\user.config

MD5 e0db2bddbea80c8d5684670c88d57f72
SHA1 5d3084b74f48d12db8f880ddfed87a1ef580034d
SHA256 4ad5ddc45a6eb07d4b434574852de6982a22455950e698bb5889eb75635f954a
SHA512 bbb31b529022a7793bbaa5b051300c5cdaafdc9713aabc7f5afce52e3bfb2da8818b748f0824cfc3c18dc44878198f7e95d470fd87bf94e396713ab3e1ffd447

memory/3120-23-0x0000000074AB0000-0x0000000075061000-memory.dmp

memory/3120-24-0x0000000074AB0000-0x0000000075061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

MD5 a2c2083d4e670ee625364fd3ae089e3f
SHA1 6340e831bfe448180989fe04e3cbeec22580f641
SHA256 860d0927606127409599cb6f25ee36adad42894d723a3b7ac3c69b329ca5bd07
SHA512 da9f110a3b88063c6d8a557b31f45b422ffe38f1996d6544778ed5418fc1c6a0697e001b69d7188319cd6f862373919652abf03ae103f42da89483eb660ca837

memory/3120-47-0x0000000074AB0000-0x0000000075061000-memory.dmp

memory/4608-48-0x00007FFDFE1C5000-0x00007FFDFE1C6000-memory.dmp

memory/4608-50-0x000000001BD30000-0x000000001C1FE000-memory.dmp

memory/4608-49-0x00007FFDFDF10000-0x00007FFDFE8B1000-memory.dmp

memory/3120-54-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/3120-53-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/4608-52-0x00007FFDFDF10000-0x00007FFDFE8B1000-memory.dmp

memory/4608-51-0x000000001C200000-0x000000001C29C000-memory.dmp

memory/4608-55-0x0000000001090000-0x0000000001098000-memory.dmp

memory/4608-56-0x000000001E730000-0x000000001E7D6000-memory.dmp

memory/4608-57-0x0000000001060000-0x0000000001070000-memory.dmp

memory/3120-58-0x0000000074AB0000-0x0000000075061000-memory.dmp

memory/4608-59-0x00007FFDFDF10000-0x00007FFDFE8B1000-memory.dmp

memory/3120-61-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/3120-60-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/4608-62-0x0000000001060000-0x0000000001070000-memory.dmp