Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-06-2022 20:44
Behavioral task
behavioral1
Sample
forvm.exe
Resource
win7-20220414-en
General
-
Target
forvm.exe
-
Size
37KB
-
MD5
1c34d0c6964ad975af3dd63fa9282e2e
-
SHA1
4b1a295f48590c84880a458bbedeafc1512641ee
-
SHA256
dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
-
SHA512
8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
Malware Config
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Extracted
njrat
im523
gay
2.tcp.eu.ngrok.io:18163
767dc25f03dd681bde2bda93c68cdea8
-
reg_key
767dc25f03dd681bde2bda93c68cdea8
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 3 IoCs
Processes:
tmp6A77.tmp.exedllhost.exetmpCD5E.tmp.exepid process 1760 tmp6A77.tmp.exe 1460 dllhost.exe 1808 tmpCD5E.tmp.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 4 IoCs
Processes:
dllhost.exeforvm.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe -
Loads dropped DLL 3 IoCs
Processes:
forvm.exetmp6A77.tmp.exedllhost.exepid process 1776 forvm.exe 1760 tmp6A77.tmp.exe 1460 dllhost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
forvm.exedllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
dllhost.exedescription ioc process File created C:\autorun.inf dllhost.exe File opened for modification C:\autorun.inf dllhost.exe File created D:\autorun.inf dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhost.exepid process 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe 1460 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1460 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
forvm.exedllhost.exedescription pid process Token: SeDebugPrivilege 1776 forvm.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: SeDebugPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe Token: 33 1460 dllhost.exe Token: SeIncBasePriorityPrivilege 1460 dllhost.exe Token: 33 1776 forvm.exe Token: SeIncBasePriorityPrivilege 1776 forvm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
forvm.exetmp6A77.tmp.exedllhost.exedescription pid process target process PID 1776 wrote to memory of 828 1776 forvm.exe netsh.exe PID 1776 wrote to memory of 828 1776 forvm.exe netsh.exe PID 1776 wrote to memory of 828 1776 forvm.exe netsh.exe PID 1776 wrote to memory of 828 1776 forvm.exe netsh.exe PID 1776 wrote to memory of 1760 1776 forvm.exe tmp6A77.tmp.exe PID 1776 wrote to memory of 1760 1776 forvm.exe tmp6A77.tmp.exe PID 1776 wrote to memory of 1760 1776 forvm.exe tmp6A77.tmp.exe PID 1776 wrote to memory of 1760 1776 forvm.exe tmp6A77.tmp.exe PID 1760 wrote to memory of 1460 1760 tmp6A77.tmp.exe dllhost.exe PID 1760 wrote to memory of 1460 1760 tmp6A77.tmp.exe dllhost.exe PID 1760 wrote to memory of 1460 1760 tmp6A77.tmp.exe dllhost.exe PID 1760 wrote to memory of 1460 1760 tmp6A77.tmp.exe dllhost.exe PID 1460 wrote to memory of 1936 1460 dllhost.exe netsh.exe PID 1460 wrote to memory of 1936 1460 dllhost.exe netsh.exe PID 1460 wrote to memory of 1936 1460 dllhost.exe netsh.exe PID 1460 wrote to memory of 1936 1460 dllhost.exe netsh.exe PID 1460 wrote to memory of 1808 1460 dllhost.exe tmpCD5E.tmp.exe PID 1460 wrote to memory of 1808 1460 dllhost.exe tmpCD5E.tmp.exe PID 1460 wrote to memory of 1808 1460 dllhost.exe tmpCD5E.tmp.exe PID 1460 wrote to memory of 1808 1460 dllhost.exe tmpCD5E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\forvm.exe"C:\Users\Admin\AppData\Local\Temp\forvm.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\forvm.exe" "forvm.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exeFilesize
37KB
MD51c34d0c6964ad975af3dd63fa9282e2e
SHA14b1a295f48590c84880a458bbedeafc1512641ee
SHA256dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
SHA5128b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
-
C:\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exeFilesize
37KB
MD51c34d0c6964ad975af3dd63fa9282e2e
SHA14b1a295f48590c84880a458bbedeafc1512641ee
SHA256dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
SHA5128b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
\Users\Admin\AppData\Local\Temp\tmp6A77.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
\Users\Admin\AppData\Local\Temp\tmpCD5E.tmp.exeFilesize
37KB
MD51c34d0c6964ad975af3dd63fa9282e2e
SHA14b1a295f48590c84880a458bbedeafc1512641ee
SHA256dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
SHA5128b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
-
\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
memory/828-56-0x0000000000000000-mapping.dmp
-
memory/1460-66-0x0000000000000000-mapping.dmp
-
memory/1460-71-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1460-79-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1760-64-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1760-70-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1760-60-0x0000000000000000-mapping.dmp
-
memory/1776-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1776-58-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1776-55-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1808-75-0x0000000000000000-mapping.dmp
-
memory/1808-80-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1808-81-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1936-72-0x0000000000000000-mapping.dmp