grandoreiro | e2751b8455728c372f6552335a8b5c12a2f80003bbe806f5464d8f3982c0d002 | Triage

Resubmissions

24/10/2023, 21:15

231024-z3wresaa34 10

Analysis

max time kernel
9s
max time network
43s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 21:15

Sharing

Report Analysis Logs

General

Target

i4D5zW6J\CBSCreateVC.dll
Size

331.8MB
MD5

7755038abb8916182c4d9bdec0cecc3a
SHA1

bdb622c83765a5d22928f72923f0fb6cdd1ac933
SHA256

9ab85595b7d114ef86f3818f7d4d4ad0b31cfabccc373e7301a68a981a956e1a
SHA512

fa6fe68b1f01ab4764741e7549478feb35c5d2bef000f74622414a397d2b280e1e0525c3377a8a6469ffb41bcf1242bdbbe49c128da5243aff49cdb4eead734c
SSDEEP

49152:Tt8ODu1nETuq3E+Zyib/NP/LKrJqh+taU69pT9Tryz+gvH:T6ODuFESqZH/ZLKYEk/

Score

10^/10

grandoreiro banker trojan

Malware Config

Signatures

Detects Grandoreiro payload 1 IoCs

resource	yara_rule
behavioral1/memory/2888-0-0x0000000001EF0000-0x0000000002EF0000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30
PID 2684 wrote to memory of 2888	2684	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\i4D5zW6J\CBSCreateVC.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\i4D5zW6J\CBSCreateVC.dll
  2⤵
  PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-0-0x0000000001EF0000-0x0000000002EF0000-memory.dmp

Filesize
16.0MB

Download
memory/2888-1-0x0000000016B00000-0x0000000016B01000-memory.dmp

Filesize
4KB

Download