Analysis

  • max time kernel
    131s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    19-07-2020 17:16

General

  • Target

    grabbot_0.1.6.3.vir.exe

  • Size

    368KB

  • MD5

    7f99fdb03f82aa3235a24833a9e3d70a

  • SHA1

    86e4114602a51d08e0d00021ff73312a3d54432b

  • SHA256

    0dc4dbf92417c9701a2ffd8c3446bed02811bb18d245e0bf372ce0b2db92172d

  • SHA512

    90d28292921f7e36512a05198a3bd868377ba9c32a71bc7ad668e01ac49119d131d1d3f49f56eca594cf99d1f7efcabd735ae294da60ceeaee4567bec42ceea5

Score
7/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.3.vir.exe
      "C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.3.vir.exe"
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads