grandoreiro | 3810d9472973ebfc636f39c290dd4ba21aa87beb926aab38b967ae3299518a81

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HostFx.exe
Size

2.2MB
MD5

b5485d229f8078575d639fb903b4fca7
SHA1

6a67a6bb694df592819d398a645504b2c7a2221c
SHA256

9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA512

5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
SSDEEP

49152:br9J0M1ZNIlSM4UUFr7Nq2O3gGEK2OrIoODzc1yTLNKdtR7YNVWms0:br9J0WIlSM4w2OQDK0

Score

10^/10

grandoreiro banker persistence trojan

Malware Config

Signatures

Detects Grandoreiro payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/792-133-0x00000000010C0000-0x0000000002B5E000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/792-142-0x00000000010C0000-0x0000000002B5E000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HostFx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fujajomui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HostFx.exe"	HostFx.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	HostFx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HostFx.exe

pid	process
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe
792	HostFx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HostFx.exe

pid process

792 HostFx.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HostFx.exe

pid process

792 HostFx.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

HostFx.exe

description pid process target process

PID 792 wrote to memory of 3904 792 HostFx.exe splwow64.exe
PID 792 wrote to memory of 3904 792 HostFx.exe splwow64.exe

description	pid	process	target process
PID 792 wrote to memory of 3904	792	HostFx.exe	splwow64.exe
PID 792 wrote to memory of 3904	792	HostFx.exe	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\HostFx.exe
"C:\Users\Admin\AppData\Local\Temp\HostFx.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-133-0x00000000010C0000-0x0000000002B5E000-memory.dmp

Filesize
26.6MB

Download
memory/792-135-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/792-136-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/792-137-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/792-138-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/792-139-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/792-140-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/792-141-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/792-142-0x00000000010C0000-0x0000000002B5E000-memory.dmp

Filesize
26.6MB

Download
memory/792-144-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/792-143-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/792-145-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/792-146-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download