Analysis
-
max time kernel
134s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:27
Static task
static1
Behavioral task
behavioral1
Sample
grabbot_0.1.6.4.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
grabbot_0.1.6.4.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
grabbot_0.1.6.4.vir.exe
-
Size
380KB
-
MD5
33d2c3155d673293e9de6c7392b44a7d
-
SHA1
f86cdd91174265345c013fefac1a260d3de85c23
-
SHA256
121431bbfb1fb3a7ec99580b7af8051b3ef5ef37e9d40eb22119610c3bc9e0f6
-
SHA512
a0d1ec810a73ef997ceba6d4c85280dc650636b6e6439f7eaa53aebfe1605962e3682a3760ccd334724089538d88f6b085019c45381899985d058b725b941a92
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
grabbot_0.1.6.4.vir.exeExplorer.EXEpid process 1496 grabbot_0.1.6.4.vir.exe 1496 grabbot_0.1.6.4.vir.exe 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
grabbot_0.1.6.4.vir.exedescription pid process target process PID 1496 wrote to memory of 1228 1496 grabbot_0.1.6.4.vir.exe Explorer.EXE PID 1496 wrote to memory of 1228 1496 grabbot_0.1.6.4.vir.exe Explorer.EXE PID 1496 wrote to memory of 1228 1496 grabbot_0.1.6.4.vir.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeSecurityPrivilege 1228 Explorer.EXE Token: SeSecurityPrivilege 1228 Explorer.EXE Token: SeSecurityPrivilege 1228 Explorer.EXE Token: SeSecurityPrivilege 1228 Explorer.EXE Token: SeShutdownPrivilege 1228 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{08C100A8-BEC0-EA00-B000-53D0477CCB} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08C100A8-BEC0-EA00-B000-53D0477CCB}\\rsxyejkpqv.exe\"" Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.4.vir.exe"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.4.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory