Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 20:55
Behavioral task
behavioral1
Sample
forvm.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
forvm.exe
Resource
win10v2004-20220414-en
General
-
Target
forvm.exe
-
Size
37KB
-
MD5
1c34d0c6964ad975af3dd63fa9282e2e
-
SHA1
4b1a295f48590c84880a458bbedeafc1512641ee
-
SHA256
dde7dcf2831fc86f74315f05353ed60908fda5e8c8f2620fe160d63b266db471
-
SHA512
8b8d5f608c87c8c9ce7a3d1571b77e2f2962b2ac332b474467fddd43902e9a56d1af4eadd5976caa6237c57a691b02f44d96ef2bd436b9e092c569185e9af5d5
Malware Config
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 1 IoCs
Processes:
tmpC474.tmp.exepid process 2284 tmpC474.tmp.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
forvm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation forvm.exe -
Drops startup file 2 IoCs
Processes:
forvm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\767dc25f03dd681bde2bda93c68cdea8.exe forvm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
forvm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\767dc25f03dd681bde2bda93c68cdea8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\forvm.exe\" .." forvm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
forvm.exedescription pid process Token: SeDebugPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe Token: 33 4204 forvm.exe Token: SeIncBasePriorityPrivilege 4204 forvm.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
forvm.exedescription pid process target process PID 4204 wrote to memory of 3460 4204 forvm.exe netsh.exe PID 4204 wrote to memory of 3460 4204 forvm.exe netsh.exe PID 4204 wrote to memory of 3460 4204 forvm.exe netsh.exe PID 4204 wrote to memory of 2284 4204 forvm.exe tmpC474.tmp.exe PID 4204 wrote to memory of 2284 4204 forvm.exe tmpC474.tmp.exe PID 4204 wrote to memory of 2284 4204 forvm.exe tmpC474.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\forvm.exe"C:\Users\Admin\AppData\Local\Temp\forvm.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\forvm.exe" "forvm.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp.exeFilesize
53KB
MD5d0a314fbbc8e3932366190b80d3a1d43
SHA19f5acdce5c4be66bce4d36d30dc0cc28cc607269
SHA256b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b
SHA51215cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64
-
C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp.exeFilesize
53KB
MD5d0a314fbbc8e3932366190b80d3a1d43
SHA19f5acdce5c4be66bce4d36d30dc0cc28cc607269
SHA256b59b98e49c5a393691d1766623992d7b998b61a4f4420769c1431963146fdf6b
SHA51215cda90b5bcd668b28a165cd83a165cb709b76cfcca21bd7918f6693022f93bafcb930dbbc8504c1ec9f47baa828ae47c58cf38b04ac1ec83911d126fe443d64
-
memory/2284-133-0x0000000000000000-mapping.dmp
-
memory/2284-136-0x0000000000E00000-0x0000000000E14000-memory.dmpFilesize
80KB
-
memory/2284-137-0x0000000005D80000-0x0000000006324000-memory.dmpFilesize
5.6MB
-
memory/2284-138-0x00000000057D0000-0x0000000005862000-memory.dmpFilesize
584KB
-
memory/2284-139-0x0000000005960000-0x000000000596A000-memory.dmpFilesize
40KB
-
memory/3460-131-0x0000000000000000-mapping.dmp
-
memory/4204-130-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/4204-132-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB