grandoreiro | 210dbd36826cc7f97bfeab65600eeb0e17f377d91d7818cf9f14c1cb3677ad26

Analysis

max time kernel
269s
max time network
49s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 17:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Archive.688306047.vbs
Size

8KB
MD5

dfd1724a4e51522d244d96dd58dcd721
SHA1

c8affb1a38d2bebaaf5c91aec4c23f2337533fe8
SHA256

1111e97e61ee666ad9df5a3fe14b37eeb02355c557c2998eb220bc165c0f6f1d
SHA512

f086dd7609b6bca84ce4db9d547eca9b554bb8582b9004eca0797bf4f50a81414c73d10d59e752cc44db723c13ace1e8e600bcc9bb43d48a62e0e419ea121101
SSDEEP

96:ehSF2h2qFlO5E8WDxSAC9H0pmJdy0xjK8rq9yZ9z0tsCNNM:dFIt3XcH0pSHrq9yZ9z/CNNM

Score

10^/10

grandoreiro banker persistence trojan

Malware Config

Signatures

Detects Grandoreiro payload 4 IoCs

resource	yara_rule
behavioral3/files/0x000800000001231d-118.dat	family_grandoreiro_v1
behavioral3/files/0x000800000001231d-119.dat	family_grandoreiro_v1
behavioral3/memory/1364-120-0x0000000001060000-0x0000000002AFD000-memory.dmp	family_grandoreiro_v1
behavioral3/memory/1364-145-0x0000000001060000-0x0000000002AFD000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1376	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1364	HostFx.exe

Loads dropped DLL 3 IoCs

pid	Process
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run	HostFx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\fujajomui = "C:\\02EoVNPx\\HostFx.exe"	HostFx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe
1364	HostFx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	HostFx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	HostFx.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1376 wrote to memory of 1364	1376	WScript.exe	28
PID 1364 wrote to memory of 884	1364	HostFx.exe	29
PID 1364 wrote to memory of 884	1364	HostFx.exe	29
PID 1364 wrote to memory of 884	1364	HostFx.exe	29
PID 1364 wrote to memory of 884	1364	HostFx.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.688306047.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1376
- C:\02EoVNPx\HostFx.exe
  "C:\02EoVNPx\HostFx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\02EoVNPx\HostFx.exe

Filesize
2.2MB

MD5
b5485d229f8078575d639fb903b4fca7

SHA1
6a67a6bb694df592819d398a645504b2c7a2221c

SHA256
9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

SHA512
5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

Download Submit
C:\02EoVNPx\HostFx.exe

Filesize
2.2MB

MD5
b5485d229f8078575d639fb903b4fca7

SHA1
6a67a6bb694df592819d398a645504b2c7a2221c

SHA256
9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

SHA512
5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

Download Submit
C:\02EoVNPx\HostFx.exe

Filesize
2.2MB

MD5
b5485d229f8078575d639fb903b4fca7

SHA1
6a67a6bb694df592819d398a645504b2c7a2221c

SHA256
9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

SHA512
5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

Download Submit
C:\02EoVNPx\Test.Zip

Filesize
22.6MB

MD5
cac9d2558d122149ae7d96a77477ca31

SHA1
e1e8728d08ccb215a8234d88e0ffd725822f8a53

SHA256
042cb2a7d5494ff63ac5dac24acfb6a7b453546a897bb5c54f4f985b0da1b491

SHA512
9498aa32d33cade7f2e7f3383498b66b4986c722473d9ac56f539f3d1ad1c0e3433ef4a04d99e169d07e39831a42ff160173fce66fb015d121e17712d50b509a

Download Submit
C:\02EoVNPx\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\02EoVNPx\uires.dll

Filesize
13.0MB

MD5
87c7411e05ff159a3707869adc9d5c01

SHA1
d147cfdc5d2ea979aa757423a0a22577c45acbe1

SHA256
207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

SHA512
a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

Download Submit
C:\02EoVNPx\zlibai.dll

Filesize
26.5MB

MD5
36d9e993ab9121c0046aadf30b82820e

SHA1
5440c5045f86fa5d97d91c0e787cddbfb8042725

SHA256
e33ac90c9d52ac62087d1bb984996804d176c8dbdee38aaa01f9dbb87de8d35c

SHA512
a29796223bac3d42b4b8baf0f467d88d2d31449d2cab56d1fd3d96bdf749be0ab79dfc1bd8b4cee37b5eb89dfce1da495ea85eb2c32acbb49dcbaeb83b36e152

Download Submit
\02EoVNPx\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
\02EoVNPx\uires.dll

Filesize
13.0MB

MD5
87c7411e05ff159a3707869adc9d5c01

SHA1
d147cfdc5d2ea979aa757423a0a22577c45acbe1

SHA256
207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

SHA512
a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

Download Submit
\02EoVNPx\zlibai.dll

Filesize
26.5MB

MD5
36d9e993ab9121c0046aadf30b82820e

SHA1
5440c5045f86fa5d97d91c0e787cddbfb8042725

SHA256
e33ac90c9d52ac62087d1bb984996804d176c8dbdee38aaa01f9dbb87de8d35c

SHA512
a29796223bac3d42b4b8baf0f467d88d2d31449d2cab56d1fd3d96bdf749be0ab79dfc1bd8b4cee37b5eb89dfce1da495ea85eb2c32acbb49dcbaeb83b36e152

Download Submit
memory/1364-130-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1364-140-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1364-126-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1364-127-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1364-128-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1364-129-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1364-131-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1364-132-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1364-124-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1364-134-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1364-135-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1364-137-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1364-138-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1364-125-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1364-141-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1364-143-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1364-144-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1364-145-0x0000000001060000-0x0000000002AFD000-memory.dmp

Filesize
26.6MB

Download
memory/1364-146-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1364-149-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1364-150-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1364-120-0x0000000001060000-0x0000000002AFD000-memory.dmp

Filesize
26.6MB

Download
memory/1364-156-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1364-153-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1364-154-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1376-72-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download