Analysis
-
max time kernel
126s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:25
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.5.6.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.5.6.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.5.6.vir.exe
-
Size
272KB
-
MD5
6ce43ef9a666503ac85cbb5d48bd75ba
-
SHA1
7dc3a3f882c2e558ecb298104b2a437afb7ab5ca
-
SHA256
285361e7099454daec2fce73cd72a01bc7d5edc81fb4f0698a9c20a775fb9c84
-
SHA512
b1da8b8090be41b3b1240d8f13176bec1f85fba142e2d256772a615982db754525827accadc5049990ccb636e0de19486c796ba6b77bd547c87fc6704b3e64e8
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 2992 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CA11E568-78C0-1A00-3000-3B32565CB3} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CA11E568-78C0-1A00-3000-3B32565CB3}\\rwxdejopuv.exe\"" Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
grabbot_0.1.5.6.vir.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2564 grabbot_0.1.5.6.vir.exe Token: SeSecurityPrivilege 2564 grabbot_0.1.5.6.vir.exe Token: SeSecurityPrivilege 2564 grabbot_0.1.5.6.vir.exe Token: SeSecurityPrivilege 2564 grabbot_0.1.5.6.vir.exe Token: SeSecurityPrivilege 1708 svchost.exe Token: SeSecurityPrivilege 1708 svchost.exe Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
grabbot_0.1.5.6.vir.exesvchost.exepid process 2564 grabbot_0.1.5.6.vir.exe 2564 grabbot_0.1.5.6.vir.exe 2564 grabbot_0.1.5.6.vir.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
grabbot_0.1.5.6.vir.exedescription pid process target process PID 2564 wrote to memory of 2992 2564 grabbot_0.1.5.6.vir.exe Explorer.EXE PID 2564 wrote to memory of 2992 2564 grabbot_0.1.5.6.vir.exe Explorer.EXE PID 2564 wrote to memory of 2992 2564 grabbot_0.1.5.6.vir.exe Explorer.EXE PID 2564 wrote to memory of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe PID 2564 wrote to memory of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe PID 2564 wrote to memory of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe PID 2564 wrote to memory of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe PID 2564 wrote to memory of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
grabbot_0.1.5.6.vir.exedescription pid process target process PID 2564 set thread context of 1708 2564 grabbot_0.1.5.6.vir.exe svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.6.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.6.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\{CA11E568-78C0-1A00-3000-3B32565CB3}\HLb4XfNb
-
memory/1708-1-0x0000000010010DED-mapping.dmp
-
memory/1708-0-0x0000000010000000-0x000000001001F000-memory.dmpFilesize
124KB
-
memory/1708-2-0x0000000010000000-0x000000001001F000-memory.dmpFilesize
124KB