grandoreiro | c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54

Resubmissions

30/11/2023, 17:31

231130-v358msfb4v 10

14/10/2023, 04:25

231014-e11blsab94 10

Analysis

max time kernel
170s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2023, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grand.exe
Size

5.5MB
MD5

47f7101191190d132a438444ee64a798
SHA1

1b17f49c98c7a0dcf7d40752dacf6b9e99ebe2d3
SHA256

c5195273e6bed87762880598a2a08bdeadab8d84fab3e78b6726c7eadd08ed54
SHA512

6fdd4755a6c6fa157fef65e88dd5d702df7a053fa36f5646a258edb9900c2f34fd4af440ff6d06d8a8ac11fd55273244f346b064a120d172846f09ac3dbd77c3
SSDEEP

98304:vyghDiIufzZIKj5Ahc3x8x/3a1UVG+5T8wNyxZnkkYOW:vJhZuf+W1xGSUVG+x8wQZXY

Score

10^/10

grandoreiro banker persistence trojan

Malware Config

Signatures

Detects Grandoreiro payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000700000002325e-15.dat	family_grandoreiro_v1
behavioral1/files/0x000700000002325e-18.dat	family_grandoreiro_v1
behavioral1/files/0x000700000002325e-19.dat	family_grandoreiro_v1
behavioral1/files/0x000700000002325e-23.dat	family_grandoreiro_v1
behavioral1/files/0x000700000002325e-22.dat	family_grandoreiro_v1
behavioral1/memory/2232-24-0x0000000000CA0000-0x0000000001CA0000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2232-30-0x0000000000CA0000-0x0000000001CA0000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2232-33-0x0000000000CA0000-0x0000000001CA0000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2232-38-0x0000000000CA0000-0x0000000001CA0000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2232-53-0x0000000000CA0000-0x0000000001CA0000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Executes dropped EXE 1 IoCs

pid	Process
2232	randpp.exe

Loads dropped DLL 7 IoCs

pid	Process
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	grand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azzxrgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\randpp.exe"	randpp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	randpp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	randpp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2232	randpp.exe
2232	randpp.exe
2232	randpp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2232	4304	grand.exe	81
PID 4304 wrote to memory of 2232	4304	grand.exe	81
PID 4304 wrote to memory of 2232	4304	grand.exe	81

C:\Users\Admin\AppData\Local\Temp\grand.exe
"C:\Users\Admin\AppData\Local\Temp\grand.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
266.0MB

MD5
0459857c70102a31285f822f4d5da1d6

SHA1
a906ecdb8fbd4770ca765da1fcf2fccbb1cd3291

SHA256
a67775bf2e0a0f0816a2157760991f581c5fddcdeb8893b25febe5703ff03e9a

SHA512
53e34d5919f4609c6e124aa443649c916574a6bc11899803e28128de910c7b38ec7ca3bbe9722767968106218293f4fec73a4e9e360cdba14a93489d1156cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
266.0MB

MD5
0459857c70102a31285f822f4d5da1d6

SHA1
a906ecdb8fbd4770ca765da1fcf2fccbb1cd3291

SHA256
a67775bf2e0a0f0816a2157760991f581c5fddcdeb8893b25febe5703ff03e9a

SHA512
53e34d5919f4609c6e124aa443649c916574a6bc11899803e28128de910c7b38ec7ca3bbe9722767968106218293f4fec73a4e9e360cdba14a93489d1156cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
266.0MB

MD5
0459857c70102a31285f822f4d5da1d6

SHA1
a906ecdb8fbd4770ca765da1fcf2fccbb1cd3291

SHA256
a67775bf2e0a0f0816a2157760991f581c5fddcdeb8893b25febe5703ff03e9a

SHA512
53e34d5919f4609c6e124aa443649c916574a6bc11899803e28128de910c7b38ec7ca3bbe9722767968106218293f4fec73a4e9e360cdba14a93489d1156cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
266.0MB

MD5
0459857c70102a31285f822f4d5da1d6

SHA1
a906ecdb8fbd4770ca765da1fcf2fccbb1cd3291

SHA256
a67775bf2e0a0f0816a2157760991f581c5fddcdeb8893b25febe5703ff03e9a

SHA512
53e34d5919f4609c6e124aa443649c916574a6bc11899803e28128de910c7b38ec7ca3bbe9722767968106218293f4fec73a4e9e360cdba14a93489d1156cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSCreateVC.dll

Filesize
266.0MB

MD5
0459857c70102a31285f822f4d5da1d6

SHA1
a906ecdb8fbd4770ca765da1fcf2fccbb1cd3291

SHA256
a67775bf2e0a0f0816a2157760991f581c5fddcdeb8893b25febe5703ff03e9a

SHA512
53e34d5919f4609c6e124aa443649c916574a6bc11899803e28128de910c7b38ec7ca3bbe9722767968106218293f4fec73a4e9e360cdba14a93489d1156cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CBSProducstInfo.dll

Filesize
692KB

MD5
6cd81e6343ab21a1d118243af54833a8

SHA1
bbe1a06bd85af7099fb111ac13d19df5f7f22cc0

SHA256
306970a9d265a45abbd2efaf61002980695b2de7961504cf71e2833f415e82a9

SHA512
295446e3732281b3afb6b06684e2642a79e6b284608305291cc01967c45d2ba5892ef687de084dbc9a22180233f1602a8c2236ec969ddda34c25d4f4e6691328

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DAQExp.dll

Filesize
1.4MB

MD5
b16ad0dd6c69c0c117c9d3647517786c

SHA1
825a54040c8e8dfe9ffb243796df806ee5b05708

SHA256
e8eace4e643ba86e5c4d1b966037a47e53836b5d328f2295713184613a72020f

SHA512
23512007a593d62c446923c446b07d64476cecf9f7ea22dbdbe48965daa482517c7f3f50a55b7b6ed3989be3df2f96004cafe3bb2204bcde401aae00ffd44632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.exe

Filesize
2.0MB

MD5
db67e9196605d61d8278e5278777c71f

SHA1
6fe39b3ace96505269745ed2b81975abb5aea647

SHA256
9b5f85fb164d177a24a521df6a9515f1dfb502d1b83581d37dae8ac3f1ad9010

SHA512
d2a77d6c1c7771e714f5a19db82823a8a4dd0f0402aca0751d17e7b4d66219049aa33eab3f3841de251f7393f0d01e3c7664ef0aa17f5593ba0f569d2bfe7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\randpp.ini

Filesize
4KB

MD5
3e7d1bf85c27b185a920dc26b776758e

SHA1
3623ff4e4d244d951426647b5f765dec5bbdd99a

SHA256
d5be03e38f60722dca24be527e5e97b60e383dbb6c88452964c9ce4683dcd6f5

SHA512
e744594e22afbdc8482cdcad8540ebfe8444e9e4fc093fbfe785421cb77d8543f7525327e3b5ba299194944bf45afb896f7d5688ea44f840c57e2c2460b77869

Download Submit
memory/2232-25-0x0000000012F80000-0x0000000012F81000-memory.dmp

Filesize
4KB

Download
memory/2232-33-0x0000000000CA0000-0x0000000001CA0000-memory.dmp

Filesize
16.0MB

Download
memory/2232-26-0x0000000012F90000-0x0000000012F91000-memory.dmp

Filesize
4KB

Download
memory/2232-21-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/2232-27-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2232-29-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/2232-30-0x0000000000CA0000-0x0000000001CA0000-memory.dmp

Filesize
16.0MB

Download
memory/2232-31-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2232-32-0x0000000000BE0000-0x0000000000C98000-memory.dmp

Filesize
736KB

Download
memory/2232-24-0x0000000000CA0000-0x0000000001CA0000-memory.dmp

Filesize
16.0MB

Download
memory/2232-35-0x0000000012F70000-0x0000000012F71000-memory.dmp

Filesize
4KB

Download
memory/2232-34-0x00000000139E0000-0x00000000139E1000-memory.dmp

Filesize
4KB

Download
memory/2232-36-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2232-38-0x0000000000CA0000-0x0000000001CA0000-memory.dmp

Filesize
16.0MB

Download
memory/2232-53-0x0000000000CA0000-0x0000000001CA0000-memory.dmp

Filesize
16.0MB

Download
memory/2232-54-0x00000000139E0000-0x00000000139E1000-memory.dmp

Filesize
4KB

Download
memory/2232-55-0x0000000012F70000-0x0000000012F71000-memory.dmp

Filesize
4KB

Download
memory/2232-59-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download