Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
11-11-2024 19:46
General
-
Target
treeVPN.exe
-
Size
43KB
-
MD5
9a5aead9de4bf8498905d7ddb659be02
-
SHA1
c93c2457a874d908108915cc83d8f0a35e4ef910
-
SHA256
386948e2877eac1b5a79f96db5fba7008bfab8f173898204b63e83a60e0b80d2
-
SHA512
bd38b97e1fe283c09dc6bfaef13541c2a62718a067dc178c093557b69527d81e9ba93a1c174867c6216d3a220b554c0dee49852bcb51f184610495830a5b49f7
-
SSDEEP
384:0ZySvHn1iDcsyEqtBfQEGCOEhGyOEtzcIij+ZsNO3PlpJKkkjh/TzF7pWnQ/greT:C5HnU4pEqtNQE5SyZuXQ/oB3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Njrat family
-
Executes dropped EXE 3 IoCs
pid Process 3516 Server.exe 544 Server.exe 1776 Server.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language treeVPN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3272 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2004 treeVPN.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe Token: 33 2004 treeVPN.exe Token: SeIncBasePriorityPrivilege 2004 treeVPN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2004 wrote to memory of 3272 2004 treeVPN.exe 87 PID 2004 wrote to memory of 3272 2004 treeVPN.exe 87 PID 2004 wrote to memory of 3272 2004 treeVPN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\treeVPN.exe"C:\Users\Admin\AppData\Local\Temp\treeVPN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp/Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp/Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp/Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD5dd113bc063fe53dc74ead8403c979e3d
SHA1f0a5283a5d047aeb6b4b906194e5f3252b95d5e9
SHA256aebf3315c2c092e5b9bf62717e6e8ec7a8c48433a531162e35e3f1a6bde4b242
SHA512c951f5740dcfa018d92a78bcaabee5a39079beeb72041975f85ee2b01bd25e507fb9a2a2d8962196e04edf00cbe69eb235b0117056dd95476093577e537e2281
-
Filesize
43KB
MD59a5aead9de4bf8498905d7ddb659be02
SHA1c93c2457a874d908108915cc83d8f0a35e4ef910
SHA256386948e2877eac1b5a79f96db5fba7008bfab8f173898204b63e83a60e0b80d2
SHA512bd38b97e1fe283c09dc6bfaef13541c2a62718a067dc178c093557b69527d81e9ba93a1c174867c6216d3a220b554c0dee49852bcb51f184610495830a5b49f7