Analysis
-
max time kernel
1800s -
max time network
1813s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 16:35
Static task
static1
Behavioral task
behavioral1
Sample
forcenitro2.7.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
forcenitro2.7.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
forcenitro2.7.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
forcenitro2.7.exe
Resource
win11
Behavioral task
behavioral5
Sample
forcenitro2.7.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
forcenitro2.7.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
forcenitro2.7.exe
Resource
win10-de-20210920
General
-
Target
forcenitro2.7.exe
-
Size
123.3MB
-
MD5
3fc886fc28c6d6973ed8a54da490153e
-
SHA1
89173cdbbc18d8af60f0c35b471c7fb850e81420
-
SHA256
0137f1a746d2a74f35d557bafb233dc8cdcb602731d4de0f7e083fb12e0d80d5
-
SHA512
d939a5075dfce9f7e229f2377236e49b94fad584b7979cdc6799ad200a78f9ff971556ac6f873aacedf95ea2337a6ca4216222c34f9c30f575be5892c43110d2
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
forcenitro2.7.exepid process 1652 forcenitro2.7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
forcenitro2.7.exedescription pid process target process PID 1380 wrote to memory of 1652 1380 forcenitro2.7.exe forcenitro2.7.exe PID 1380 wrote to memory of 1652 1380 forcenitro2.7.exe forcenitro2.7.exe PID 1380 wrote to memory of 1652 1380 forcenitro2.7.exe forcenitro2.7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\forcenitro2.7.exe"C:\Users\Admin\AppData\Local\Temp\forcenitro2.7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\forcenitro2.7.exe"C:\Users\Admin\AppData\Local\Temp\forcenitro2.7.exe"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI13802\python39.dllMD5
1d5e4c20a20740f38f061bdf48aaca4f
SHA1de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0
SHA256f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366
SHA5129df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397
-
\Users\Admin\AppData\Local\Temp\_MEI13802\python39.dllMD5
1d5e4c20a20740f38f061bdf48aaca4f
SHA1de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0
SHA256f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366
SHA5129df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397
-
memory/1652-54-0x0000000000000000-mapping.dmp