Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 16:47
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.4.3.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.4.3.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.4.3.vir.exe
-
Size
484KB
-
MD5
e71757443439452b11c05a06d684acb8
-
SHA1
7eb0380d4d295b649e1f1c4fc82c2e4dcd4325cc
-
SHA256
39c70b63f715a285b8c68c88546b49eb65f799ae3fc78c2c8f1272ac8d5c05ef
-
SHA512
09679022f5de09dd30ee48784c2d6cf4cbf92271cd278155c2274ef39eda25d7001f1a5277d767d7b43cb655fa8b7cdbfcd52ffb88081a458de3de44735af1a6
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
grabbot_0.1.4.3.vir.exegrabbot_0.1.4.3.vir.exeWerFault.exepid process 3676 grabbot_0.1.4.3.vir.exe 3676 grabbot_0.1.4.3.vir.exe 1892 grabbot_0.1.4.3.vir.exe 1892 grabbot_0.1.4.3.vir.exe 1892 grabbot_0.1.4.3.vir.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
grabbot_0.1.4.3.vir.exegrabbot_0.1.4.3.vir.exedescription pid process target process PID 3676 wrote to memory of 3840 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3840 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3840 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3876 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3876 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3876 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 3676 wrote to memory of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe PID 1892 wrote to memory of 2968 1892 grabbot_0.1.4.3.vir.exe Explorer.EXE PID 1892 wrote to memory of 2968 1892 grabbot_0.1.4.3.vir.exe Explorer.EXE PID 1892 wrote to memory of 2968 1892 grabbot_0.1.4.3.vir.exe Explorer.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
grabbot_0.1.4.3.vir.exedescription pid process target process PID 3676 set thread context of 3012 3676 grabbot_0.1.4.3.vir.exe iexplore.exe PID 3676 set thread context of 1892 3676 grabbot_0.1.4.3.vir.exe grabbot_0.1.4.3.vir.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
grabbot_0.1.4.3.vir.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1892 grabbot_0.1.4.3.vir.exe Token: SeSecurityPrivilege 1892 grabbot_0.1.4.3.vir.exe Token: SeRestorePrivilege 3252 WerFault.exe Token: SeBackupPrivilege 3252 WerFault.exe Token: SeDebugPrivilege 3252 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3252 1892 WerFault.exe grabbot_0.1.4.3.vir.exe -
Processes:
resource yara_rule behavioral2/memory/3012-0-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral2/memory/3012-3-0x0000000000400000-0x00000000009DC000-memory.dmp upx behavioral2/memory/3012-4-0x0000000000400000-0x00000000009DC000-memory.dmp upx -
Checks whether UAC is enabled 1 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
grabbot_0.1.4.3.vir.exeiexplore.exepid process 3676 grabbot_0.1.4.3.vir.exe 3676 grabbot_0.1.4.3.vir.exe 3012 iexplore.exe 3012 iexplore.exe 3012 iexplore.exe 3012 iexplore.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.3.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.4.3.vir.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 5804⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-9-0x0000000000404DB0-mapping.dmp
-
memory/1892-2-0x0000000000400000-0x0000000019270000-memory.dmpFilesize
398.4MB
-
memory/1892-5-0x0000000000404DB0-mapping.dmp
-
memory/1892-6-0x0000000000400000-0x0000000019270000-memory.dmpFilesize
398.4MB
-
memory/1892-10-0x0000000000404DB0-mapping.dmp
-
memory/1892-11-0x0000000000404DB0-mapping.dmp
-
memory/3012-1-0x000000000040D560-mapping.dmp
-
memory/3012-3-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/3012-4-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/3012-0-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/3252-7-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB
-
memory/3252-8-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB
-
memory/3252-12-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB