Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 20:44
Behavioral task
behavioral1
Sample
forvm.exe
Resource
win7-20220414-en
General
-
Target
forvm.exe
-
Size
37KB
-
MD5
1c34d0c6964ad975af3dd63fa9282e2e
-
SHA1
4b1a295f48590c84880a458bbedeafc1512641ee
-
SHA256
dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
-
SHA512
8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
Malware Config
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Extracted
njrat
im523
gay
2.tcp.eu.ngrok.io:18163
767dc25f03dd681bde2bda93c68cdea8
-
reg_key
767dc25f03dd681bde2bda93c68cdea8
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 3 IoCs
Processes:
tmpDC8A.tmp.exedllhost.exetmp4249.tmp.exepid process 524 tmpDC8A.tmp.exe 5008 dllhost.exe 4904 tmp4249.tmp.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmpDC8A.tmp.exedllhost.exeforvm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation tmpDC8A.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation forvm.exe -
Drops startup file 4 IoCs
Processes:
forvm.exedllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
forvm.exedllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
dllhost.exedescription ioc process File created C:\autorun.inf dllhost.exe File opened for modification C:\autorun.inf dllhost.exe File created D:\autorun.inf dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhost.exepid process 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 5008 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
forvm.exedllhost.exedescription pid process Token: SeDebugPrivilege 3124 forvm.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: SeDebugPrivilege 5008 dllhost.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe Token: 33 3124 forvm.exe Token: SeIncBasePriorityPrivilege 3124 forvm.exe Token: 33 5008 dllhost.exe Token: SeIncBasePriorityPrivilege 5008 dllhost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
forvm.exetmpDC8A.tmp.exedllhost.exedescription pid process target process PID 3124 wrote to memory of 1572 3124 forvm.exe netsh.exe PID 3124 wrote to memory of 1572 3124 forvm.exe netsh.exe PID 3124 wrote to memory of 1572 3124 forvm.exe netsh.exe PID 3124 wrote to memory of 524 3124 forvm.exe tmpDC8A.tmp.exe PID 3124 wrote to memory of 524 3124 forvm.exe tmpDC8A.tmp.exe PID 3124 wrote to memory of 524 3124 forvm.exe tmpDC8A.tmp.exe PID 524 wrote to memory of 5008 524 tmpDC8A.tmp.exe dllhost.exe PID 524 wrote to memory of 5008 524 tmpDC8A.tmp.exe dllhost.exe PID 524 wrote to memory of 5008 524 tmpDC8A.tmp.exe dllhost.exe PID 5008 wrote to memory of 3512 5008 dllhost.exe netsh.exe PID 5008 wrote to memory of 3512 5008 dllhost.exe netsh.exe PID 5008 wrote to memory of 3512 5008 dllhost.exe netsh.exe PID 5008 wrote to memory of 4904 5008 dllhost.exe tmp4249.tmp.exe PID 5008 wrote to memory of 4904 5008 dllhost.exe tmp4249.tmp.exe PID 5008 wrote to memory of 4904 5008 dllhost.exe tmp4249.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\forvm.exe"C:\Users\Admin\AppData\Local\Temp\forvm.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\forvm.exe" "forvm.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp4249.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4249.tmp.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4249.tmp.exeFilesize
37KB
MD51c34d0c6964ad975af3dd63fa9282e2e
SHA14b1a295f48590c84880a458bbedeafc1512641ee
SHA256dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
SHA5128b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
-
C:\Users\Admin\AppData\Local\Temp\tmp4249.tmp.exeFilesize
37KB
MD51c34d0c6964ad975af3dd63fa9282e2e
SHA14b1a295f48590c84880a458bbedeafc1512641ee
SHA256dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
SHA5128b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
-
C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmpDC8A.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
memory/524-133-0x0000000000000000-mapping.dmp
-
memory/524-136-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/524-140-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/1572-131-0x0000000000000000-mapping.dmp
-
memory/3124-130-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3124-132-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3512-142-0x0000000000000000-mapping.dmp
-
memory/4904-144-0x0000000000000000-mapping.dmp
-
memory/4904-147-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4904-148-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/5008-143-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/5008-141-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/5008-137-0x0000000000000000-mapping.dmp