grandoreiro | e2751b8455728c372f6552335a8b5c12a2f80003bbe806f5464d8f3982c0d002 | Triage

Resubmissions

24/10/2023, 21:15

231024-z3wresaa34 10

Analysis

max time kernel
132s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 21:15

Sharing

Report Analysis Logs

General

Target

i4D5zW6J\CBSCreateVC.dll
Size

331.8MB
MD5

7755038abb8916182c4d9bdec0cecc3a
SHA1

bdb622c83765a5d22928f72923f0fb6cdd1ac933
SHA256

9ab85595b7d114ef86f3818f7d4d4ad0b31cfabccc373e7301a68a981a956e1a
SHA512

fa6fe68b1f01ab4764741e7549478feb35c5d2bef000f74622414a397d2b280e1e0525c3377a8a6469ffb41bcf1242bdbbe49c128da5243aff49cdb4eead734c
SSDEEP

49152:Tt8ODu1nETuq3E+Zyib/NP/LKrJqh+taU69pT9Tryz+gvH:T6ODuFESqZH/ZLKYEk/

Score

10^/10

grandoreiro banker trojan

Malware Config

Signatures

Detects Grandoreiro payload 1 IoCs

resource	yara_rule
behavioral2/memory/3708-0-0x00000000025F0000-0x00000000035F0000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3708	2304	regsvr32.exe	91
PID 2304 wrote to memory of 3708	2304	regsvr32.exe	91
PID 2304 wrote to memory of 3708	2304	regsvr32.exe	91

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\i4D5zW6J\CBSCreateVC.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\i4D5zW6J\CBSCreateVC.dll
  2⤵
  PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3708 -ip 3708
1⤵
PID:4692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-0-0x00000000025F0000-0x00000000035F0000-memory.dmp

Filesize
16.0MB

Download