Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 09:32
Behavioral task
behavioral1
Sample
HostFx.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HostFx.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
dbghelp.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
dbghelp.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
uires.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
uires.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
zlibai.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
zlibai.dll
Resource
win10v2004-20230220-en
General
-
Target
HostFx.exe
-
Size
2.2MB
-
MD5
b5485d229f8078575d639fb903b4fca7
-
SHA1
6a67a6bb694df592819d398a645504b2c7a2221c
-
SHA256
9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
-
SHA512
5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
SSDEEP
49152:br9J0M1ZNIlSM4UUFr7Nq2O3gGEK2OrIoODzc1yTLNKdtR7YNVWms0:br9J0WIlSM4w2OQDK0
Malware Config
Signatures
-
Detects Grandoreiro payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/792-133-0x00000000010C0000-0x0000000002B5E000-memory.dmp family_grandoreiro_v1 behavioral2/memory/792-142-0x00000000010C0000-0x0000000002B5E000-memory.dmp family_grandoreiro_v1 -
Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HostFx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fujajomui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HostFx.exe" HostFx.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run HostFx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HostFx.exepid process 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe 792 HostFx.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
HostFx.exepid process 792 HostFx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HostFx.exepid process 792 HostFx.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
HostFx.exedescription pid process target process PID 792 wrote to memory of 3904 792 HostFx.exe splwow64.exe PID 792 wrote to memory of 3904 792 HostFx.exe splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HostFx.exe"C:\Users\Admin\AppData\Local\Temp\HostFx.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/792-133-0x00000000010C0000-0x0000000002B5E000-memory.dmpFilesize
26.6MB
-
memory/792-135-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/792-136-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/792-137-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/792-138-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/792-139-0x0000000002CF0000-0x0000000002CF1000-memory.dmpFilesize
4KB
-
memory/792-140-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/792-141-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/792-142-0x00000000010C0000-0x0000000002B5E000-memory.dmpFilesize
26.6MB
-
memory/792-144-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/792-143-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/792-145-0x00000000045F0000-0x00000000045F1000-memory.dmpFilesize
4KB
-
memory/792-146-0x00000000045F0000-0x00000000045F1000-memory.dmpFilesize
4KB