Overview

overview

10

Static

static

10

forvm.exe

windows7_x64

10

forvm.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-06-2022 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    forvm.exe

  • Size

    37KB

  • MD5

    1c34d0c6964ad975af3dd63fa9282e2e

  • SHA1

    4b1a295f48590c84880a458bbedeafc1512641ee

  • SHA256

    dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471

  • SHA512

    8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5

Score
10/10
njratgaynextevasionpersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

NEXT

C2

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes
  • reg_key

    413491cbe232876548b9b7cd8a1b451d

  • splitter

    |'|'|

Extracted

Family

njrat

Version

im523

Botnet

gay

C2

2.tcp.eu.ngrok.io:18163

Mutex

767dc25f03dd681bde2bda93c68cdea8

Attributes
  • reg_key

    767dc25f03dd681bde2bda93c68cdea8

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\forvm.exe
    "C:\Users\Admin\AppData\Local\Temp\forvm.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\forvm.exe" "forvm.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:828
    • C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops autorun.inf file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:1936
        • C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe"
          4⤵
          • Executes dropped EXE
          PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe
    Filesize

    37KB

    MD5

    1c34d0c6964ad975af3dd63fa9282e2e

    SHA1

    4b1a295f48590c84880a458bbedeafc1512641ee

    SHA256

    dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471

    SHA512

    8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe
    Filesize

    37KB

    MD5

    1c34d0c6964ad975af3dd63fa9282e2e

    SHA1

    4b1a295f48590c84880a458bbedeafc1512641ee

    SHA256

    dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471

    SHA512

    8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe
    Filesize

    37KB

    MD5

    1c34d0c6964ad975af3dd63fa9282e2e

    SHA1

    4b1a295f48590c84880a458bbedeafc1512641ee

    SHA256

    dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471

    SHA512

    8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5

    Download Submit
  • \Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    37KB

    MD5

    73196f394725a9623d84a512cdddf6ce

    SHA1

    4d24d92f70b2cbce52b1b173162b8f504ee7752f

    SHA256

    ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

    SHA512

    9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

    Download Submit
  • memory/828-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1460-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1460-71-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1460-79-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-64-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-70-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1776-58-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1776-55-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1808-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-80-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1808-81-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1936-72-0x0000000000000000-mapping.dmp
    Download