Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:16
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.6.3.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.6.3.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.6.3.vir.exe
-
Size
368KB
-
MD5
7f99fdb03f82aa3235a24833a9e3d70a
-
SHA1
86e4114602a51d08e0d00021ff73312a3d54432b
-
SHA256
0dc4dbf92417c9701a2ffd8c3446bed02811bb18d245e0bf372ce0b2db92172d
-
SHA512
90d28292921f7e36512a05198a3bd868377ba9c32a71bc7ad668e01ac49119d131d1d3f49f56eca594cf99d1f7efcabd735ae294da60ceeaee4567bec42ceea5
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeSecurityPrivilege 3012 Explorer.EXE Token: SeSecurityPrivilege 3012 Explorer.EXE Token: SeSecurityPrivilege 3012 Explorer.EXE Token: SeSecurityPrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
grabbot_0.1.6.3.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier grabbot_0.1.6.3.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D3B91560-4500-5800-4000-0C3CB85A84} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D3B91560-4500-5800-4000-0C3CB85A84}\\tyafglqrwx.exe\"" Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
grabbot_0.1.6.3.vir.exeExplorer.EXEpid process 3848 grabbot_0.1.6.3.vir.exe 3848 grabbot_0.1.6.3.vir.exe 3848 grabbot_0.1.6.3.vir.exe 3848 grabbot_0.1.6.3.vir.exe 3848 grabbot_0.1.6.3.vir.exe 3848 grabbot_0.1.6.3.vir.exe 3012 Explorer.EXE 3012 Explorer.EXE 3012 Explorer.EXE 3012 Explorer.EXE 3012 Explorer.EXE 3012 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
grabbot_0.1.6.3.vir.exedescription pid process target process PID 3848 wrote to memory of 3012 3848 grabbot_0.1.6.3.vir.exe Explorer.EXE PID 3848 wrote to memory of 3012 3848 grabbot_0.1.6.3.vir.exe Explorer.EXE PID 3848 wrote to memory of 3012 3848 grabbot_0.1.6.3.vir.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.3.vir.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory