grandoreiro | c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54

Resubmissions

30/11/2023, 17:31

231130-v358msfb4v 10

14/10/2023, 04:25

231014-e11blsab94 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grand.exe
Size

5.5MB
MD5

47f7101191190d132a438444ee64a798
SHA1

1b17f49c98c7a0dcf7d40752dacf6b9e99ebe2d3
SHA256

c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54
SHA512

6fdd4755a6c6fa157fef65e88dd5d702df7a053fa36f5646a258edb9900c2f34fd4af440ff6d06d8a8ac11fd55273244f346b064a120d172846f09ac3dbd77c3
SSDEEP

98304:vyghDiIufzZIKj5Ahc3x8x/3a1UVG+5T8wNyxZnkkYOW:vJhZuf+W1xGSUVG+x8wQZXY

Score

10^/10

grandoreiro banker persistence trojan

Malware Config

Signatures

Detects Grandoreiro payload 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023238-15.dat	family_grandoreiro_v1
behavioral2/files/0x0008000000023238-19.dat	family_grandoreiro_v1
behavioral2/files/0x0008000000023238-18.dat	family_grandoreiro_v1
behavioral2/files/0x0008000000023238-24.dat	family_grandoreiro_v1
behavioral2/files/0x0008000000023238-23.dat	family_grandoreiro_v1
behavioral2/memory/3388-25-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-33-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-39-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-45-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-54-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-72-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1
behavioral2/memory/3388-75-0x0000000011770000-0x0000000012770000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Executes dropped EXE 1 IoCs

pid	Process
3388	randpp.exe

Loads dropped DLL 8 IoCs

pid	Process
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	grand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azzxrgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\randpp.exe"	randpp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3388	randpp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3388	randpp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3388	randpp.exe
3388	randpp.exe
3388	randpp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 3388	4680	grand.exe	84
PID 4680 wrote to memory of 3388	4680	grand.exe	84
PID 4680 wrote to memory of 3388	4680	grand.exe	84

C:\Users\Admin\AppData\Local\Temp\grand.exe
"C:\Users\Admin\AppData\Local\Temp\grand.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
244.8MB

MD5
a2d44cb6fd44e0ac67146d48e9663892

SHA1
f900008c813653e6ad52440e14fd4721d0011b9c

SHA256
53977d8cb7c095ca7fadfb41b4cd18659cd0122de01907a57076fd35d13bccd0

SHA512
f28cfbc20eb0b9f8af82baae6f195c5019e3e4b6b268c1cc5a992db36932bae2bb1c480a119fc3b9c1d86bd9dba8eae84784a9dec570eb5ce4e9a572690e7cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
233.9MB

MD5
ea783cdef19357749c05ea8dcb82dbbc

SHA1
bc4b2ce3ef265dfd73f55e65dd26ca4058b06f3e

SHA256
d6bda0f76515d8772f295f8085ace007d0c2108544a54d096274dadbf996513c

SHA512
cf1f5e29c70f50d74b32f58b061bc8a837b7471d2cd4a785646b6b90eb79804f71edd77b1a3c4039820ccd80371ddc3488c51a31a469eca95e9c69b15f5a54eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
223.3MB

MD5
7e410e61c60e557703ff118d8604e7b4

SHA1
9ecc48e344da979c54f4690678e457e756bad360

SHA256
b3a2c745c012a8c0ae43bbc879040fa6cddc7b4fdbe11fb02419b7b5f9ef2319

SHA512
c1fb73c2168b08cc9df53cf39c575cc976933b1d1d25a485dd6cc07ab7cfdc442ee727cc1537c5e36d55b4a9f7b065425fcb03e646eb65cadefb867fc002caf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
225.2MB

MD5
31bbd7eebd16e68c4f032c984ed5d20f

SHA1
6c17e5c7194bfbba1aceb255d2df01f55ab3e535

SHA256
14cb6d49a83d9365a90bb3659dd5192ff62add89d2b1d9ff166d5d79fd01ff58

SHA512
c5a8e11b6deb4ead16ec587e7ed6aefaffe339f96fd34bb7624537fe8d2b5d6cf720b6eb36e497254eec47d63f59ba46e4c6f636ea55cf7337d69c7633d1ff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
224.1MB

MD5
45887315960ec8df68978c4bf336d38f

SHA1
e175880854b8c890f3dd401eda0933173f9d9298

SHA256
19362b972537fb634170acedb87ef681947f682caa45efc932a4dfe2ed86bde0

SHA512
ba0517883c8089f1ab57da95a3439092d2745f893327db13721cee08be7ae5affd2ca00745e4a2ee82da1bcaaec4386dedd3baa65fdf65682ec6ae001752ece0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.ini

Filesize
4KB

MD5
3e7d1bf85c27b185a920dc26b776758e

SHA1
3623ff4e4d244d951426647b5f765dec5bbdd99a

SHA256
d5be03e38f60722dca24be527e5e97b60e383dbb6c88452964c9ce4683dcd6f5

SHA512
e744594e22afbdc8482cdcad8540ebfe8444e9e4fc093fbfe785421cb77d8543f7525327e3b5ba299194944bf45afb896f7d5688ea44f840c57e2c2460b77869

Download Submit
memory/3388-27-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3388-34-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3388-25-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-29-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3388-28-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3388-22-0x0000000000C90000-0x0000000000D48000-memory.dmp

Filesize
736KB

Download
memory/3388-31-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/3388-32-0x0000000000C90000-0x0000000000D48000-memory.dmp

Filesize
736KB

Download
memory/3388-33-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-26-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3388-35-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3388-36-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/3388-39-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-43-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/3388-44-0x0000000000C90000-0x0000000000D48000-memory.dmp

Filesize
736KB

Download
memory/3388-45-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-54-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-58-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/3388-72-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download
memory/3388-75-0x0000000011770000-0x0000000012770000-memory.dmp

Filesize
16.0MB

Download