Analysis
-
max time kernel
148s -
max time network
45s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.5.5.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.5.5.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.5.5.vir.exe
-
Size
361KB
-
MD5
7ec0decf55d3ce9bf112ca4bdcb7db02
-
SHA1
a7e40979878f0afb813a429f3d644cebe257740e
-
SHA256
f92625cc11494c0c5d265ed331354338c45c05658323cfae8ff4a8099351ae05
-
SHA512
81cc2986d1c2f1f395e78f772c92ae4cd8253ba365a73433ce61615d02349f652530704c76bd046ebf135615ef5fcf727aea4d42cffded511312d541bfb464dc
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
grabbot_0.1.5.5.vir.exesvchost.exedescription pid process Token: SeDebugPrivilege 880 grabbot_0.1.5.5.vir.exe Token: SeSecurityPrivilege 880 grabbot_0.1.5.5.vir.exe Token: SeSecurityPrivilege 880 grabbot_0.1.5.5.vir.exe Token: SeSecurityPrivilege 880 grabbot_0.1.5.5.vir.exe Token: SeSecurityPrivilege 1340 svchost.exe Token: SeSecurityPrivilege 1340 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
grabbot_0.1.5.5.vir.exedescription pid process target process PID 880 set thread context of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
grabbot_0.1.5.5.vir.exesvchost.exepid process 880 grabbot_0.1.5.5.vir.exe 1340 svchost.exe 1340 svchost.exe 1340 svchost.exe 1340 svchost.exe 1340 svchost.exe 1340 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
grabbot_0.1.5.5.vir.exedescription pid process target process PID 880 wrote to memory of 1296 880 grabbot_0.1.5.5.vir.exe Explorer.EXE PID 880 wrote to memory of 1296 880 grabbot_0.1.5.5.vir.exe Explorer.EXE PID 880 wrote to memory of 1296 880 grabbot_0.1.5.5.vir.exe Explorer.EXE PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe PID 880 wrote to memory of 1340 880 grabbot_0.1.5.5.vir.exe svchost.exe -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EAB55558-9140-9600-5000-DD0B661655} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{EAB55558-9140-9600-5000-DD0B661655}\\rwxdejkpuv.exe\"" Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Deletes itself
- Suspicious use of FindShellTrayWindow
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.5.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.5.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\{EAB55558-9140-9600-5000-DD0B661655}\lntn4HVJ
-
memory/1340-0-0x0000000010000000-0x000000001001F000-memory.dmpFilesize
124KB
-
memory/1340-1-0x0000000010010D6B-mapping.dmp
-
memory/1340-2-0x0000000010000000-0x000000001001F000-memory.dmpFilesize
124KB