GRW[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GRW.exe
Size

346.0MB
MD5

102101e380efa5a6d05733a99c9f9e91
SHA1

8e689adeeb648d5f750d9c49d4e180e9239effd2
SHA256

e244b7f2d3ebe058ce115c94b7b5260001ff0f2f37af7323814df1577aa70710
SHA512

31266902a5b7bebc059b7206bd079558b24f5d0129c7e6c8accf839159cf24aa7e2f77e82bfa86e9acd45916562acc859abd06c74597c6f7bda56d0aa34a0864
SSDEEP

3145728:XJHqOUd3L4b+ZIlGYa5kixfTpJe24xudDE:Fa3k4IljAraxudDE

Score

1^/10

Malware Config

Signatures

Files

GRW.exe
.exe windows:6 windows x64 arch:x64

60d0e2202378b67b024256a107bb8c50

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:1b:6a:07:26:d2:e8:3f:26:02:d4:82:5a:cd
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7f:91:17:af:f8:17:55:29:ec:4a:25:11
Certificate

Issuer

CN=GlobalSign CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

23/01/2017, 10:53

Not After

10/04/2020, 16:37

Subject

CN=Blue Byte GmbH,OU=IT,O=Blue Byte GmbH,L=Düsseldorf,ST=Nordrhein-Westfalen,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

48:f1:90:5a:f6:49:ba:0a:c3:39:ae:e6:5a:4d:e3:6a:78:cd:bd:cb:29:dc:65:89:fd:8c:c4:9e:09:39:79:9f
Signer

Actual PE Digest

48:f1:90:5a:f6:49:ba:0a:c3:39:ae:e6:5a:4d:e3:6a:78:cd:bd:cb:29:dc:65:89:fd:8c:c4:9e:09:39:79:9f

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

GRW.pdb

Imports

advapi32

CryptAcquireContextA
CryptAcquireContextW
CryptDecrypt
CryptDestroyKey
CryptEncrypt
CryptGenKey
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
GetUserNameA
GetUserNameW
RegCloseKey
RegEnumValueA
RegGetValueA
RegOpenKeyExA
RegQueryValueExA
RegisterEventSourceW
ReportEventW

anselsdk64

setConfiguration
updateCamera
isAnselAvailable

bink2w64

BinkClose
BinkDoFrame
BinkDoFrameAsyncWait
BinkGetFrameBuffersInfo
BinkGoto
BinkNextFrame
BinkOpen
BinkPause
BinkRegisterFrameBuffers
BinkSetMemory
BinkSetSoundTrack
BinkSetSpeakerVolumes
BinkSetVolume
BinkShouldSkip
BinkStartAsyncThread
BinkWait

crypt32

CertEnumCertificatesInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenStore
CryptAcquireCertificatePrivateKey
CertCloseStore

gdi32

ChoosePixelFormat
CreateCompatibleDC
CreateDIBSection
DeleteDC
DeleteObject
GetObjectA
SelectObject
SetPixelFormat

gfsdk_turfeffects.win64

GFSDK_TurfEffects_Create

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AreFileApisANSI
CancelIo
CancelIoEx
CloseHandle
CopyFileW
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileW
CreateMutexA
CreateMutexW
CreatePipe
CreateProcessA
CreateProcessW
CreateSemaphoreA
CreateSemaphoreW
CreateThread
CreateTimerQueue
DebugBreak
DecodePointer
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeviceIoControl
DuplicateHandle
EncodePointer
EnterCriticalSection
EnumSystemLocalesW
ExitProcess
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindFirstFileW
FindNextFileW
FindResourceA
FlushConsoleInputBuffer
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineW
GetComputerNameA
GetComputerNameExA
GetConsoleCP
GetConsoleMode
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentProcessorNumber
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeThread
GetFileAttributesA
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoA
GetLocaleInfoEx
GetLocaleInfoW
GetLogicalDriveStringsA
GetLogicalDriveStringsW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetOverlappedResult
GetPrivateProfileIntW
GetPrivateProfileSectionNamesW
GetPrivateProfileStringW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetProcessTimes
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
GetTempPathW
GetThreadContext
GetTickCount
GetTickCount64
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
GlobalUnlock
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSRWLock
InterlockedFlushSList
InterlockedPopEntrySList
InterlockedPushEntrySList
IsDebuggerPresent
IsValidCodePage
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFree
LockFile
LockFileEx
LockResource
MoveFileExW
MultiByteToWideChar
OpenMutexA
OpenThread
OutputDebugStringA
OutputDebugStringW
QueryPerformanceCounter
QueryPerformanceFrequency
QueueUserAPC
RaiseException
ReadConsoleInputA
ReadDirectoryChangesW
ReadFile
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
RemoveDirectoryW
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleMode
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableA
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFilePointerEx
SetHandleInformation
SetLastError
SetProcessAffinityMask
SetThreadAffinityMask
SetThreadIdealProcessor
SetThreadPriority
SetThreadPriorityBoost
SetUnhandledExceptionFilter
SizeofResource
Sleep
SleepEx
SuspendThread
SwitchToThread
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
TryEnterCriticalSection
UnlockFile
UnregisterWaitEx
VerSetConditionMask
VerifyVersionInfoA
VerifyVersionInfoW
VirtualAlloc
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteFile
WritePrivateProfileStringW
lstrcatW
lstrcmpW
lstrlenA
lstrlenW

ole32

CoCreateGuid
CoCreateInstance
CoInitialize
CoInitializeEx
CoSetProxyBlanket
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CreateStreamOnHGlobal
PropVariantClear

oleaut32

SysFreeString
VariantInit
VariantClear
SysAllocString

opengl32

glGetString
wglCreateContext
wglDeleteContext
wglMakeCurrent

rpcrt4

UuidCreateSequential

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsExA
SetupDiGetClassDevsW
SetupDiGetDeviceInstanceIdA
SetupDiGetDeviceInstanceIdW
SetupDiGetDeviceInterfaceDetailW
SetupDiOpenDevRegKey

shell32

SHCreateDirectoryExW
SHGetKnownFolderPath
SHGetSpecialFolderPathW
ShellExecuteA
CommandLineToArgvW

stream_engine

tobii_context_create
tobii_enumerate_local_device_urls
tobii_gaze_point_subscribe
tobii_head_pose_subscribe
tobii_initialize
tobii_process_callbacks
tobii_reconnect
tobii_system_clock
tobii_terminate
tobii_update_timesync

tobii.eyex.client

txCommitSnapshotAsync
txCreateActivatableBehavior
txCreateContext
txCreateFixationDataBehavior
txCreateGazePointDataBehavior
txCreateGlobalInteractorSnapshot
txCreateRectangularInteractor
txCreateSnapshotForQuery
txDisableConnection
txEnableConnection
txFormatObjectAsText
txGetActivatableEventType
txGetAsyncDataContent
txGetEventBehavior
txGetFixationDataEventParams
txGetGazePointDataEventParams
txGetQueryBounds
txGetQueryWindowId
txGetQueryWindowIdCount
txGetRectangularBoundsData
txGetStateAsync
txGetStateValueAsInteger
txGetStateValueAsRectangle
txGetStateValueAsSize2
txGetStateValueAsString
txInitializeEyeX
txRegisterConnectionStateChangedHandler
txRegisterEventHandler
txRegisterQueryHandler
txRegisterStateChangedHandler
txReleaseContext
txReleaseObject
txShutdownContext
txUninitializeEyeX
txUnregisterConnectionStateChangedHandler
txUnregisterEventHandler
txUnregisterQueryHandler
txUnregisterStateChangedHandler

user32

AdjustWindowRect
CallNextHookEx
CallWindowProcW
ClientToScreen
ClipCursor
CreateWindowExA
CreateWindowExW
DefWindowProcA
DefWindowProcW
DestroyWindow
DispatchMessageA
DisplayConfigGetDeviceInfo
EnumChildWindows
EnumDisplayDevicesA
GetActiveWindow
GetAsyncKeyState
GetClientRect
GetCursorPos
GetDC
GetDesktopWindow
GetDisplayConfigBufferSizes
GetDlgItem
GetForegroundWindow
GetKeyboardLayout
GetMonitorInfoA
GetProcessWindowStation
GetRawInputDeviceInfoA
GetRawInputDeviceList
GetSystemMetrics
GetUserObjectInformationW
GetWindowInfo
GetWindowRect
GetWindowTextA
GetWindowThreadProcessId
IsIconic
IsWindow
IsWindowVisible
LoadCursorA
LoadIconA
LoadImageA
LoadStringA
MapVirtualKeyExA
MessageBoxA
MessageBoxW
MonitorFromPoint
MonitorFromWindow
MsgWaitForMultipleObjects
PeekMessageA
PostMessageA
PostQuitMessage
PostThreadMessageA
QueryDisplayConfig
RegisterClassA
RegisterClassExW
RegisterDeviceNotificationA
RegisterDeviceNotificationW
ReleaseDC
ScreenToClient
SendMessageW
SetCursor
SetDlgItemTextW
SetRect
SetTimer
SetWindowLongA
SetWindowLongPtrW
SetWindowPos
SetWindowTextA
SetWindowsHookExA
ShowCursor
ShowWindow
SystemParametersInfoA
TranslateMessage
UnhookWindowsHookEx
UnregisterClassA
UnregisterDeviceNotification
UpdateLayeredWindow
UpdateWindow
WindowFromPoint

winmm

timeGetTime

ws2_32

accept
ioctlsocket
inet_addr
WSAGetLastError
WSASetLastError
WSAStartup
WSACleanup
inet_ntoa
listen
ntohl
ntohs
recv
recvfrom
select
send
bind
sendto
setsockopt
shutdown
socket
closesocket
connect
getpeername
gethostbyname
gethostname
getsockname
getsockopt
htonl
htons
WSAGetOverlappedResult
WSAIoctl
WSARecvFrom
WSAResetEvent
WSASendTo
WSASocketA
WSASocketW
WSAStringToAddressA
WSAWaitForMultipleEvents
freeaddrinfo
getaddrinfo
getnameinfo
inet_pton

Exports

Exports

??0GraphicLibFacade@scimitar@@QEAA@AEBV01@@Z
??0GraphicLibFacade@scimitar@@QEAA@XZ
??1GraphicLibFacade@scimitar@@UEAA@XZ
??4GraphicLibFacade@scimitar@@QEAAAEAV01@AEBV01@@Z
??_7GraphicLibFacade@scimitar@@6B@
AmdPowerXpressRequestHighPerformance
G4_GetBP
G4_GetNonVolatileRegisters
G4_GetSP
G4_ResetECX
G4_RestoreNonVolatileRegisters
GetDataBufferSize
InitBufferSynchro
InstantiateGraphicLibFacade
NvOptimusEnablement
ReadData
WriteData

Sections

.edata
Size: 54.2MB - Virtual size: 54.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 8.4MB - Virtual size: 8.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xtext
Size: 10.5MB - Virtual size: 13.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.sbss
Size: 128KB - Virtual size: 260KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.xpdata
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.srdata
Size: 268.6MB - Virtual size: 268.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.code
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xcode
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.link
Size: 512B - Virtual size: 97B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 541KB - Virtual size: 540KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

60d0e2202378b67b024256a107bb8c50

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

48:1b:6a:07:26:d2:e8:3f:26:02:d4:82:5a:cdCertificate

Extended Key Usages

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

7f:91:17:af:f8:17:55:29:ec:4a:25:11Certificate

Extended Key Usages

Key Usages

48:f1:90:5a:f6:49:ba:0a:c3:39:ae:e6:5a:4d:e3:6a:78:cd:bd:cb:29:dc:65:89:fd:8c:c4:9e:09:39:79:9fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

anselsdk64

bink2w64

crypt32

gdi32

gfsdk_turfeffects.win64

kernel32

ole32

oleaut32

opengl32

rpcrt4

setupapi

shell32

stream_engine

tobii.eyex.client

user32

winmm

ws2_32

Exports

Exports

Sections

.edata Size: 54.2MB - Virtual size: 54.2MB

.sdata Size: 8.4MB - Virtual size: 8.4MB

.xtext Size: 10.5MB - Virtual size: 13.2MB

.pdata Size: 3.6MB - Virtual size: 3.6MB

.sbss Size: 128KB - Virtual size: 260KB

.bss Size: 512B - Virtual size: 4KB

.xpdata Size: 6KB - Virtual size: 8KB

.reloc Size: 512B - Virtual size: 4KB

.srdata Size: 268.6MB - Virtual size: 268.6MB

.code Size: 32KB - Virtual size: 32KB

.xcode Size: 4KB - Virtual size: 4KB

.link Size: 512B - Virtual size: 97B

.data Size: 18KB - Virtual size: 18KB

.xdata Size: 541KB - Virtual size: 540KB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

48:1b:6a:07:26:d2:e8:3f:26:02:d4:82:5a:cd
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

7f:91:17:af:f8:17:55:29:ec:4a:25:11
Certificate

48:f1:90:5a:f6:49:ba:0a:c3:39:ae:e6:5a:4d:e3:6a:78:cd:bd:cb:29:dc:65:89:fd:8c:c4:9e:09:39:79:9f
Signer

.edata
Size: 54.2MB - Virtual size: 54.2MB

.sdata
Size: 8.4MB - Virtual size: 8.4MB

.xtext
Size: 10.5MB - Virtual size: 13.2MB

.pdata
Size: 3.6MB - Virtual size: 3.6MB

.sbss
Size: 128KB - Virtual size: 260KB

.bss
Size: 512B - Virtual size: 4KB

.xpdata
Size: 6KB - Virtual size: 8KB

.reloc
Size: 512B - Virtual size: 4KB

.srdata
Size: 268.6MB - Virtual size: 268.6MB

.code
Size: 32KB - Virtual size: 32KB

.xcode
Size: 4KB - Virtual size: 4KB

.link
Size: 512B - Virtual size: 97B

.data
Size: 18KB - Virtual size: 18KB

.xdata
Size: 541KB - Virtual size: 540KB