grandoreiro | c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54

Resubmissions

30/11/2023, 17:31

231130-v358msfb4v 10

14/10/2023, 04:25

231014-e11blsab94 10

Analysis

max time kernel
146s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grand.exe
Size

5.5MB
MD5

47f7101191190d132a438444ee64a798
SHA1

1b17f49c98c7a0dcf7d40752dacf6b9e99ebe2d3
SHA256

c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54
SHA512

6fdd4755a6c6fa157fef65e88dd5d702df7a053fa36f5646a258edb9900c2f34fd4af440ff6d06d8a8ac11fd55273244f346b064a120d172846f09ac3dbd77c3
SSDEEP

98304:vyghDiIufzZIKj5Ahc3x8x/3a1UVG+5T8wNyxZnkkYOW:vJhZuf+W1xGSUVG+x8wQZXY

Score

10^/10

grandoreiro banker persistence trojan

Malware Config

Signatures

Detects Grandoreiro payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0010000000012274-15.dat	family_grandoreiro_v1
behavioral1/files/0x0010000000012274-23.dat	family_grandoreiro_v1
behavioral1/memory/2652-24-0x0000000000850000-0x0000000001850000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2652-38-0x0000000000850000-0x0000000001850000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2652-41-0x0000000000850000-0x0000000001850000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2652-44-0x0000000000850000-0x0000000001850000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2652-50-0x0000000000850000-0x0000000001850000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Executes dropped EXE 1 IoCs

pid	Process
2652	randpp.exe

Loads dropped DLL 3 IoCs

pid	Process
2652	randpp.exe
2652	randpp.exe
2652	randpp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	grand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	randpp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	randpp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2652	2112	grand.exe	30
PID 2112 wrote to memory of 2652	2112	grand.exe	30
PID 2112 wrote to memory of 2652	2112	grand.exe	30
PID 2112 wrote to memory of 2652	2112	grand.exe	30

C:\Users\Admin\AppData\Local\Temp\grand.exe
"C:\Users\Admin\AppData\Local\Temp\grand.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
105.1MB

MD5
3da7b7b421a3ac2a187e3166e3b2dffa

SHA1
e464f887c13c5191eca101d9cc54daa095f1c643

SHA256
1f75a713d0aadd785f1a10ab91e008fd8283b624dd28b4e01781f95cdb560893

SHA512
4609c66158f6b920f1dc167a4d3d18fbd3d83924a181038ce7806dcc62249e4bb4f3022385b6e7bea59fd97844029fc14bd561d55272a40717831187f6a71225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.ini

Filesize
4KB

MD5
3e7d1bf85c27b185a920dc26b776758e

SHA1
3623ff4e4d244d951426647b5f765dec5bbdd99a

SHA256
d5be03e38f60722dca24be527e5e97b60e383dbb6c88452964c9ce4683dcd6f5

SHA512
e744594e22afbdc8482cdcad8540ebfe8444e9e4fc093fbfe785421cb77d8543f7525327e3b5ba299194944bf45afb896f7d5688ea44f840c57e2c2460b77869

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
104.2MB

MD5
a37b0d363553efaa95d1f57c3af1e3c9

SHA1
f7e33f927518b74b61c175b109b1f27372ad171a

SHA256
ae901bdd10650339e79b91611857b53f1807b09307b7dd4414f2db1c427c3ba0

SHA512
2eae9289df07fde155998f6f67caec2b2baf7b690c889c7e727e06698e0d5345adfc78eb1a4539602c7c8a2aa53cc5f95b7f579db7c47a05a06387d31ceaadbc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
memory/2652-37-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2652-44-0x0000000000850000-0x0000000001850000-memory.dmp

Filesize
16.0MB

Download
memory/2652-29-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2652-32-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2652-35-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2652-24-0x0000000000850000-0x0000000001850000-memory.dmp

Filesize
16.0MB

Download
memory/2652-38-0x0000000000850000-0x0000000001850000-memory.dmp

Filesize
16.0MB

Download
memory/2652-39-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2652-41-0x0000000000850000-0x0000000001850000-memory.dmp

Filesize
16.0MB

Download
memory/2652-27-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2652-45-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2652-46-0x00000000137B0000-0x00000000137B1000-memory.dmp

Filesize
4KB

Download
memory/2652-47-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2652-16-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2652-49-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2652-51-0x0000000000230000-0x00000000002E8000-memory.dmp

Filesize
736KB

Download
memory/2652-50-0x0000000000850000-0x0000000001850000-memory.dmp

Filesize
16.0MB

Download
memory/2652-52-0x00000000137B0000-0x00000000137B1000-memory.dmp

Filesize
4KB

Download
memory/2652-53-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2652-54-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads