Overview

overview

10

Static

static

10

Growtoken.exe

windows10-2004-x64

10

Growtoken.exe

windows11-21h2-x64

10

Resubmissions

30-05-2024 08:19

240530-j76t7acf66 10

30-05-2024 08:16

240530-j6cjyscf33 10

30-05-2024 08:10

240530-j244eabe3t 10

30-05-2024 07:54

240530-jrx74scc37 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Growtoken.exe

  • Size

    1.2MB

  • Sample

    240530-j76t7acf66

  • MD5

    b4fd82d36033b222e24a3bebb36160c2

  • SHA1

    f0834b6a9fe196eff0df953a8054f0cc16d31b5e

  • SHA256

    d44006982388af1f774550e394ebc9a613bbccd2e0dbedfdac871fee1872ad96

  • SHA512

    3bc7a33310105b1a3a882e7e407de49bdb11cf8d8360d4b56d2908fc3b8d075cecb2d198803a78cde132432efd9920ebfd3ebdb3c9dd1d7dd4f3061103240b74

  • SSDEEP

    12288:XTEYAsROAsrt/uxduo1jB0Y96qlBBScaepDkNDFTK/6AHR2MZ/Rev0HMpHqEc:XwT7rC6qpScJpMuSCR1ZevuEqE

Score
10/10
eternitydiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      Growtoken.exe

    • Size

      1.2MB

    • MD5

      b4fd82d36033b222e24a3bebb36160c2

    • SHA1

      f0834b6a9fe196eff0df953a8054f0cc16d31b5e

    • SHA256

      d44006982388af1f774550e394ebc9a613bbccd2e0dbedfdac871fee1872ad96

    • SHA512

      3bc7a33310105b1a3a882e7e407de49bdb11cf8d8360d4b56d2908fc3b8d075cecb2d198803a78cde132432efd9920ebfd3ebdb3c9dd1d7dd4f3061103240b74

    • SSDEEP

      12288:XTEYAsROAsrt/uxduo1jB0Y96qlBBScaepDkNDFTK/6AHR2MZ/Rev0HMpHqEc:XwT7rC6qpScJpMuSCR1ZevuEqE

    Score
    10/10
    eternitydiscoveryevasionexecutionpersistencespywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detects Eternity stealer

      stealer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

Software Discovery

1
T1518

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks