Overview

overview

10

Static

static

10

treeVPN.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-11-2024 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    treeVPN.exe

  • Size

    43KB

  • MD5

    9a5aead9de4bf8498905d7ddb659be02

  • SHA1

    c93c2457a874d908108915cc83d8f0a35e4ef910

  • SHA256

    386948e2877eac1b5a79f96db5fba7008bfab8f173898204b63e83a60e0b80d2

  • SHA512

    bd38b97e1fe283c09dc6bfaef13541c2a62718a067dc178c093557b69527d81e9ba93a1c174867c6216d3a220b554c0dee49852bcb51f184610495830a5b49f7

  • SSDEEP

    384:0ZySvHn1iDcsyEqtBfQEGCOEhGyOEtzcIij+ZsNO3PlpJKkkjh/TzF7pWnQ/greT:C5HnU4pEqtNQE5SyZuXQ/oB3+L

Score
10/10
njrathackeddiscoverytrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\treeVPN.exe
    "C:\Users\Admin\AppData\Local\Temp\treeVPN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3272
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp/Server.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3516
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp/Server.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:544
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp/Server.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log
    Filesize

    507B

    MD5

    dd113bc063fe53dc74ead8403c979e3d

    SHA1

    f0a5283a5d047aeb6b4b906194e5f3252b95d5e9

    SHA256

    aebf3315c2c092e5b9bf62717e6e8ec7a8c48433a531162e35e3f1a6bde4b242

    SHA512

    c951f5740dcfa018d92a78bcaabee5a39079beeb72041975f85ee2b01bd25e507fb9a2a2d8962196e04edf00cbe69eb235b0117056dd95476093577e537e2281

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    43KB

    MD5

    9a5aead9de4bf8498905d7ddb659be02

    SHA1

    c93c2457a874d908108915cc83d8f0a35e4ef910

    SHA256

    386948e2877eac1b5a79f96db5fba7008bfab8f173898204b63e83a60e0b80d2

    SHA512

    bd38b97e1fe283c09dc6bfaef13541c2a62718a067dc178c093557b69527d81e9ba93a1c174867c6216d3a220b554c0dee49852bcb51f184610495830a5b49f7

    Download Submit

  • memory/544-20-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-19-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/544-17-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1776-22-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2004-9-0x0000000005650000-0x000000000565A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2004-8-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2004-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2004-7-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2004-4-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2004-5-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2004-3-0x0000000005C00000-0x00000000061A6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2004-2-0x0000000005300000-0x000000000539C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2004-1-0x0000000000920000-0x0000000000932000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3516-12-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3516-13-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3516-15-0x0000000074C90000-0x0000000075441000-memory.dmp

    Filesize

    7.7MB

    Download