Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:15
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.4.1.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.4.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.4.1.vir.exe
-
Size
481KB
-
MD5
8ebecea290d820559e97c1cc986ea478
-
SHA1
cbe3edc86036d98dfb38121eb146675e5e9518a5
-
SHA256
a3d84719636834e5a62c94bc6aca2270209d154144c98948144800dcaba60a6b
-
SHA512
b7edb7d0fa14381547fcf1e0216864d1a8d35ed071d76290dd51b64601b55154079dd1d2257d39f0471a40eb23b94bfe12299ca4053faee10c8ebdaf1aece345
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
grabbot_0.1.4.1.vir.exesvchost.exedescription pid process Token: SeDebugPrivilege 904 grabbot_0.1.4.1.vir.exe Token: SeSecurityPrivilege 904 grabbot_0.1.4.1.vir.exe Token: SeSecurityPrivilege 904 grabbot_0.1.4.1.vir.exe Token: SeSecurityPrivilege 1408 svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
grabbot_0.1.4.1.vir.exesvchost.exepid process 904 grabbot_0.1.4.1.vir.exe 1408 svchost.exe 1408 svchost.exe 1408 svchost.exe 1408 svchost.exe 1408 svchost.exe 1408 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
grabbot_0.1.4.1.vir.exedescription pid process target process PID 904 set thread context of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{10F69578-6040-9E00-1000-9906765F11} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{10F69578-6040-9E00-1000-9906765F11}\\vbchinotya.exe\"" Explorer.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
grabbot_0.1.4.1.vir.exedescription pid process target process PID 904 wrote to memory of 1300 904 grabbot_0.1.4.1.vir.exe Explorer.EXE PID 904 wrote to memory of 1300 904 grabbot_0.1.4.1.vir.exe Explorer.EXE PID 904 wrote to memory of 1300 904 grabbot_0.1.4.1.vir.exe Explorer.EXE PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe PID 904 wrote to memory of 1408 904 grabbot_0.1.4.1.vir.exe svchost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Checks whether UAC is enabled
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.1.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses