| File name: | Update.exe |
| Full analysis: | https://app.any.run/tasks/b5da3bcd-04e5-43e6-99ae-7186a849b003 |
| Verdict: | Malicious activity |
| Threats: | Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. |
| Analysis date: | May 18, 2024, 12:05:11 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 9B6265DA79F48F1807E477B7A5467761 |
| SHA1: | 4D3CF11478E0C0B38A27D7DB0AE238E0F26C8432 |
| SHA256: | 525FE79111EDB90045D5727D3FA33E73DE88D7C89569E536F0430E0EB5C7AC22 |
| SSDEEP: | 196608:gGeFw2WYhlDIRV7Nq8gWP+0m0m8WDo/V1pp2SdX0wE5+Rz:AFw1YA/NbgB0m0KDWGKX0D4Rz |
MALICIOUS
Drops the executable file immediately after the start
- powershell.exe (PID: 1184)
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
- bound.exe (PID: 4108)
BlankGrabber has been detected
- Update.exe (PID: 1492)
Adds path to the Windows Defender exclusion list
- Update.exe (PID: 3692)
- cmd.exe (PID: 4480)
- cmd.exe (PID: 4524)
Antivirus name has been found in the command line (generic signature)
- cmd.exe (PID: 4500)
- MpCmdRun.exe (PID: 4948)
Windows Defender preferences modified via 'Set-MpPreference'
- cmd.exe (PID: 4500)
SUSPICIOUS
Starts a Microsoft application from unusual location
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
Process drops legitimate windows executable
- powershell.exe (PID: 1184)
- Update.exe (PID: 1492)
- bound.exe (PID: 4108)
The process drops C-runtime libraries
- Update.exe (PID: 1492)
- bound.exe (PID: 4108)
Process drops python dynamic module
- Update.exe (PID: 1492)
- bound.exe (PID: 4108)
Executable content was dropped or overwritten
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
- bound.exe (PID: 4108)
Application launched itself
- Update.exe (PID: 1492)
- bound.exe (PID: 4108)
Starts CMD.EXE for commands execution
- Update.exe (PID: 3692)
Loads Python modules
- Update.exe (PID: 3692)
- bound.exe (PID: 3688)
Script disables Windows Defender's real-time protection
- cmd.exe (PID: 4500)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 4480)
- cmd.exe (PID: 4524)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 4480)
- cmd.exe (PID: 4524)
- cmd.exe (PID: 4500)
Script disables Windows Defender's IPS
- cmd.exe (PID: 4500)
Get information on the list of running processes
- Update.exe (PID: 3692)
- cmd.exe (PID: 2128)
The executable file from the user directory is run by the CMD process
- bound.exe (PID: 4108)
Found strings related to reading or modifying Windows Defender settings
- Update.exe (PID: 3692)
INFO
Reads the computer name
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
- bound.exe (PID: 4108)
- bound.exe (PID: 3688)
- MpCmdRun.exe (PID: 4948)
The executable file from the user directory is run by the Powershell process
- Update.exe (PID: 1492)
Checks supported languages
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
- bound.exe (PID: 4108)
- bound.exe (PID: 3688)
- MpCmdRun.exe (PID: 4948)
Create files in a temporary directory
- Update.exe (PID: 1492)
- Update.exe (PID: 3692)
- bound.exe (PID: 4108)
- MpCmdRun.exe (PID: 4948)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 780)
- powershell.exe (PID: 2288)
- powershell.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:05:18 09:25:42+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.38 |
| CodeSize: | 176128 |
| InitializedDataSize: | 148480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc540 |
| OSVersion: | 5.2 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.0.19041.4355 |
| ProductVersionNumber: | 7.0.19041.4355 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Windows Search Protocol Host |
| FileVersion: | 7.0.19041.4355 (WinBuild.160101.0800) |
| InternalName: | SearchProtocolHost.exe |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | SearchProtocolHost.exe |
| ProductName: | Windows® Search |
| ProductVersion: | 7.0.19041.4355 |
Total processes
132
Monitored processes
22
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 780 | powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\bound.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\AppData\Local\Temp\Update.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1228 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1440 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 1492 | "C:\Users\admin\AppData\Local\Temp\Update.exe" | C:\Users\admin\AppData\Local\Temp\Update.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.0.19041.4355 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1944 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2128 | C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST" | C:\Windows\System32\cmd.exe | — | Update.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2288 | powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3196 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3396 | powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Update.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
29 862
Read events
29 854
Write events
8
Delete events
0
Modification events
| (PID) Process: | (1184) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1184) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1184) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1184) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
178
Suspicious files
8
Text files
19
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZZUSDMASNMVIV8357H0.temp | — | |
MD5:— | SHA256:— | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eqykpe1l.vrr.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:6CCFDC84BFE0B38FC21CBA4456146D2D | SHA256:FF6BF17419CE6E48AB9825E23BDE4BEC19058501DEC214CF7C316F72036FA96C | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wje55wfb.1me.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1492 | Update.exe | C:\Users\admin\AppData\Local\Temp\_MEI14922\_ctypes.pyd | executable | |
MD5:A8CB7698A8282DEFD6143536ED821EC9 | SHA256:40D53A382A78B305064A4F4DF50543D2227679313030C9EDF5EE82AF23BF8F4A | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1164b2.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 1492 | Update.exe | C:\Users\admin\AppData\Local\Temp\_MEI14922\_queue.pyd | executable | |
MD5:FC796FCDE996F78225A4EC1BED603606 | SHA256:C7C598121B1D82EB710425C0DC1FC0598545A61FFB1DD41931BB9368FB350B93 | |||
| 1492 | Update.exe | C:\Users\admin\AppData\Local\Temp\_MEI14922\_socket.pyd | executable | |
MD5:F8D03997E7EFCDD28A351B6F35B429A2 | SHA256:AEF190652D8466C0455311F320248764ACBFF6109D1238A26F8983CE86483BF1 | |||
| 1492 | Update.exe | C:\Users\admin\AppData\Local\Temp\_MEI14922\_ssl.pyd | executable | |
MD5:615BFC3800CF4080BC6D52AC091EC925 | SHA256:1819DD90E26AA49EB40119B6442E0E60EC95D3025E9C863778DCC6295A2B561F | |||
| 1492 | Update.exe | C:\Users\admin\AppData\Local\Temp\_MEI14922\_sqlite3.pyd | executable | |
MD5:3D85E2AA598468D9449689A89816395E | SHA256:6F0C212CB7863099A7CE566A5CF83880D91E38A164DD7F9D05D83CCE80FA1083 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | null:443 | https://blank-4md9q.in/ | unknown | — | — | — |
— | — | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
— | — | GET | 200 | 2.19.217.218:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 20.189.173.9:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5140 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
— | — | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
— | — | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3692 | Update.exe | 49.13.77.253:443 | blank-4md9q.in | Hetzner Online GmbH | DE | unknown |
5456 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2908 | OfficeClickToRun.exe | 104.208.16.88:443 | self.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
blank-4md9q.in |
| unknown |
self.events.data.microsoft.com |
| whitelisted |