Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-06-2022 20:55
Behavioral task
behavioral1
Sample
forvm.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
forvm.exe
Resource
win10v2004-20220414-en
General
-
Target
forvm.exe
-
Size
37KB
-
MD5
1c34d0c6964ad975af3dd63fa9282e2e
-
SHA1
4b1a295f48590c84880a458bbedeafc1512641ee
-
SHA256
dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
-
SHA512
8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 1 IoCs
Processes:
tmp256C.tmp.exepid process 1968 tmp256C.tmp.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
forvm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe -
Loads dropped DLL 1 IoCs
Processes:
forvm.exepid process 1552 forvm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
forvm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
forvm.exedescription pid process Token: SeDebugPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe Token: 33 1552 forvm.exe Token: SeIncBasePriorityPrivilege 1552 forvm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
forvm.exedescription pid process target process PID 1552 wrote to memory of 372 1552 forvm.exe netsh.exe PID 1552 wrote to memory of 372 1552 forvm.exe netsh.exe PID 1552 wrote to memory of 372 1552 forvm.exe netsh.exe PID 1552 wrote to memory of 372 1552 forvm.exe netsh.exe PID 1552 wrote to memory of 1968 1552 forvm.exe tmp256C.tmp.exe PID 1552 wrote to memory of 1968 1552 forvm.exe tmp256C.tmp.exe PID 1552 wrote to memory of 1968 1552 forvm.exe tmp256C.tmp.exe PID 1552 wrote to memory of 1968 1552 forvm.exe tmp256C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\forvm.exe"C:\Users\Admin\AppData\Local\Temp\forvm.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\forvm.exe" "forvm.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp256C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp256C.tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp256C.tmp.exeFilesize
53KB
MD5d0a314fbbc8e3932366190b80d3a1d43
SHA19f5acdce5c4be66bce4d36d30dc0cc28cc607269
SHA256b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b
SHA51215cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64
-
C:\Users\Admin\AppData\Local\Temp\tmp256C.tmp.exeFilesize
53KB
MD5d0a314fbbc8e3932366190b80d3a1d43
SHA19f5acdce5c4be66bce4d36d30dc0cc28cc607269
SHA256b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b
SHA51215cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64
-
\Users\Admin\AppData\Local\Temp\tmp256C.tmp.exeFilesize
53KB
MD5d0a314fbbc8e3932366190b80d3a1d43
SHA19f5acdce5c4be66bce4d36d30dc0cc28cc607269
SHA256b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b
SHA51215cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64
-
memory/372-56-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1552-55-0x00000000749A0000-0x0000000074F4B000-memory.dmpFilesize
5.7MB
-
memory/1552-58-0x00000000749A0000-0x0000000074F4B000-memory.dmpFilesize
5.7MB
-
memory/1968-60-0x0000000000000000-mapping.dmp
-
memory/1968-63-0x0000000000DE0000-0x0000000000DF4000-memory.dmpFilesize
80KB