Play Ransomware Masquerades as SentinelOne in Grixba Recon Campaign

Summary

The report outlines a Play ransomware operation that relies on a custom .NET reconnaissance utility named Grixba, deployed over RDP to a Windows server. Grixba masquerades as a SentinelOne executable (GT_NET.exe) and stores scan output in ExportData.db. The tool talks to a PIA VPN IP address and generates a password-protected data.zip archive. Early identification of these artifacts can halt the attack before the ransomware phase.

Play Ransomware Attack Analysis

Field Effect MDR observed the Grixba binary dropped in C:\Users\Public\Music together with data.dat, followed by the execution of GT_NET.exe and extraction of the XOR key to decode inf_g.dll. Further analysis exposed command-line switches for reconnaissance and the creation of ExportData.db, holding extensive system details. Investigators also recovered the hard-coded password element required to unlock data.zip.

Mitigation

Recommended measures include maintaining reliable backups, promptly patching software, using DNS firewalls, enforcing secure VPN usage, applying MFA, and leveraging MDR/XDR platforms to catch reconnaissance activity early. Teams should continuously watch for the distinct artifacts and execution behaviors tied to Grixba.

Response

When GT_NET.exe, data.dat, inf_g.dll, or ExportData.db are detected, responders should quarantine the endpoint, capture volatile evidence, derive the ZIP password from the embedded value, and probe for lateral movement or ransomware staging. Incident handlers should also block the related IP address and closely review RDP access logs.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  The adversary has gained initial foothold on a compromised workstation. To map the internal network before lateral movement, they download the Grixba reconnaissance binary (GT_NET.exe) from the command‑and‑control server and execute it with the argument set that the Sigma rule targets. The chosen argument -m:scanall -i:d forces a full discovery of domain‑joined hosts, while -i:r and -i:f enumerate remote shares and file shares, respectively. These arguments are typical of the tool’s default payload and produce distinct command‑line strings that the detection rule watches for.

  Steps:

  1. Download the tool (simulated with a copy from a test folder).
  2. Execute the binary with each targeted argument set to ensure the rule fires for each case.
  3. Leave the process running briefly to allow the SIEM to capture the event.

• Regression Test Script:

  # Regression Test Script – Grixba Recon Tool Execution
  # ----------------------------------------------------
  # Assumptions:
  #   • GT_NET.exe is located in C:\Temp\GT_NET.exe (replace with actual path)
  #   • Running with sufficient privileges to invoke the binary
  # ----------------------------------------------------
  
  $exePath = "C:\Temp\GT_NET.exe"
  
  if (-Not (Test-Path $exePath)) {
      Write-Error "GT_NET.exe not found at $exePath. Abort."
      exit 1
  }
  
  # 1. Execute with -m:scanall -i:d
  Write-Host "`n[+] Launching GT_NET.exe with '-m:scanall -i:d' ..."
  Start-Process -FilePath $exePath -ArgumentList "-m:scanall -i:d" -WindowStyle Hidden -PassThru | Out-Null
  Start-Sleep -Seconds 5
  
  # 2. Execute with -i:r
  Write-Host "`n[+] Launching GT_NET.exe with '-i:r' ..."
  Start-Process -FilePath $exePath -ArgumentList "-i:r" -WindowStyle Hidden -PassThru | Out-Null
  Start-Sleep -Seconds 5
  
  # 3. Execute with -i:f
  Write-Host "`n[+] Launching GT_NET.exe with '-i:f' ..."
  Start-Process -FilePath $exePath -ArgumentList "-i:f" -WindowStyle Hidden -PassThru | Out-Null
  Start-Sleep -Seconds 5
  
  Write-Host "`n[+] Execution complete. Verify detection in SIEM."

• Cleanup Commands:

  # Cleanup – terminate any lingering GT_NET.exe processes and remove the binary
  Get-Process -Name "GT_NET" -ErrorAction SilentlyContinue | Stop-Process -Force
  
  $exePath = "C:\Temp\GT_NET.exe"
  if (Test-Path $exePath) {
      Remove-Item $exePath -Force
      Write-Host "[+] GT_NET.exe removed."
  } else {
      Write-Host "[*] GT_NET.exe not present; nothing to delete."
  }