Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
02/09/2023, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
Grammarly Promotional Launcher.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Grammarly Promotional Launcher.exe
Resource
win10-20230831-en
Behavioral task
behavioral3
Sample
Grammarly Promotional Launcher.exe
Resource
win10v2004-20230831-en
General
-
Target
Grammarly Promotional Launcher.exe
-
Size
20.4MB
-
MD5
9ed667ef1d116c0cb1051b8001b6ea0f
-
SHA1
cbe4fdb8847ff9b5d0aa1e0a43bb3abd28f4a875
-
SHA256
deba2be10d757679996d33d70d37b968088ba37e1d0f86d71beb8be38c34262f
-
SHA512
4fc726f8f2ca7f024f5db1a660a3c9dff109014cc2f56097470b317950d05956c084f2e19fb9da3d14d589444c2bb0a7a370bce8b5dc049b5d3e774994bdd4e1
-
SSDEEP
393216:onRZwqeWLCKhc+0Uz+JD8rY5Pobe7n/k8MoeTtqLiVc4GYbJQp:CN1hxX+QrY5PAe7/kHtsii4bbJG
Malware Config
Extracted
stealc
9323114451583182971321730716
http://89.23.108.122
-
url_path
/e510c4e87f874d68.php
Signatures
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 4776 MSBuild.exe 4776 MSBuild.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Grammarly Promotional Launcher.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 4776 1544 Grammarly Promotional Launcher.exe 73 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 4776 MSBuild.exe 4776 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 208 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1544 wrote to memory of 208 1544 Grammarly Promotional Launcher.exe 71 PID 1544 wrote to memory of 208 1544 Grammarly Promotional Launcher.exe 71 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\Grammarly Promotional Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Grammarly Promotional Launcher.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571