aab153adf3826be713a143df8f8da8ec586f2dd327758718b18b8cf6d824cdc8

Analysis

max time kernel
351s
max time network
1781s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forvmbo4.exe
Size

93KB
MD5

228139068662ee8975ba11cc358f6d6f
SHA1

2e670edf9c635759ccaa452c6d062fe5f46840c6
SHA256

aab153adf3826be713a143df8f8da8ec586f2dd327758718b18b8cf6d824cdc8
SHA512

7950d9065867551bb0a8a4d250c1f3900a8574620b8654dea2638c4244d44189509548d432a901e99f0b10e40fd6b6623d78053c199a93a18ff28ddbbbc6caea
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf7wcDaAO5:z7DhdC6kzWypvaQ0FxyNTBf79DQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2456	2188	forvmbo4.exe	29
PID 2188 wrote to memory of 2456	2188	forvmbo4.exe	29
PID 2188 wrote to memory of 2456	2188	forvmbo4.exe	29
PID 2188 wrote to memory of 2456	2188	forvmbo4.exe	29
PID 2828 wrote to memory of 2324	2828	chrome.exe	33
PID 2828 wrote to memory of 2324	2828	chrome.exe	33
PID 2828 wrote to memory of 2324	2828	chrome.exe	33
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 2268	2828	chrome.exe	35
PID 2828 wrote to memory of 524	2828	chrome.exe	36
PID 2828 wrote to memory of 524	2828	chrome.exe	36
PID 2828 wrote to memory of 524	2828	chrome.exe	36
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37
PID 2828 wrote to memory of 560	2828	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\forvmbo4.exe
"C:\Users\Admin\AppData\Local\Temp\forvmbo4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\731D.tmp\731E.tmp\731F.bat C:\Users\Admin\AppData\Local\Temp\forvmbo4.exe"
  2⤵
  PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7099758,0x7fef7099768,0x7fef7099778
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:2
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:8
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2084 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2124 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:2
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2812 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=1224,i,9677204102012451307,3589349798555256538,131072 /prefetch:8
  2⤵
  PID:1916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7959bfac9d345ac076ea2cc39f19565f

SHA1
4cc11df0c4b854cf652029ce53bf78f9a5129159

SHA256
9b363a8512274b0bb8a81bbcd40ea1403745aaf0d0310489f5529f633fde655f

SHA512
77dd86931b61948013097ea8119dfff2c167db24ae12a0dcef618c8f5029236227ae9295445e47900923eab04ebdb6727edc0221a892131d417bab8f5c38d558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
549eb4ade1d04435a480eb1b18f822a3

SHA1
227ca566af9fde49632fb70f8e6faa90bd752522

SHA256
d4c41872a02b89aaf7f39624eaf77069796f573c6b3f3cd7546e151133595956

SHA512
33c51ffe92e01d3c95170e2cd2b05264184864eedfe835a114dab92ee69b3c49caab44f7f717e967897d680368ae59381897c21aa228d688bcf149427ebf009c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\731D.tmp\731E.tmp\731F.bat

Filesize
3KB

MD5
1d50ca75efa1fd7917dc4f67e5867b01

SHA1
f30852ca8bc5edf2ac8e248412af7a658a12adbd

SHA256
d5edbfc833dc196bbd812f4a429efb61012a4b7502155bab20c38f7f1501c76e

SHA512
36dcb5b36edb754ccf465ed028b44ccf41c7034d6ddb6c26475ec9282b7ba001e26bc90dd0edd32bc54ba2322c6137c240ef67b4b48e2857bebc0a043d8e1e56

Download Submit