Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 10:52
Behavioral task
behavioral1
Sample
Njrat .204.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
Njrat .204.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
Njrat .204.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
7 signatures
150 seconds
General
-
Target
Njrat .204.exe
-
Size
351KB
-
MD5
498b9af2dfaba5960cac346ab9d293a0
-
SHA1
751e69b28a08b6c86092ca696731a9c677b947f4
-
SHA256
f187f157d9a9ec539e8bf1e98a309bf2777a2270b872086937620e8149914001
-
SHA512
28eeafc324cd0dd8092215307dfd3e2fa4a95dc162bf923a146712661b7ed70bf986f28ede01c6de2cfbf11ce00331d58ca6fc5e37e0e940538792c595132c3b
-
SSDEEP
6144:B4oZoaeVHPtHgTIAaZgCwDx7axHU0unC28ejI8T7CxBt25:6oZ8HPvWCwjXCsIiCxBt
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/1724-1-0x0000000000160000-0x00000000001BE000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1724 Njrat .204.exe Token: SeIncreaseQuotaPrivilege 988 wmic.exe Token: SeSecurityPrivilege 988 wmic.exe Token: SeTakeOwnershipPrivilege 988 wmic.exe Token: SeLoadDriverPrivilege 988 wmic.exe Token: SeSystemProfilePrivilege 988 wmic.exe Token: SeSystemtimePrivilege 988 wmic.exe Token: SeProfSingleProcessPrivilege 988 wmic.exe Token: SeIncBasePriorityPrivilege 988 wmic.exe Token: SeCreatePagefilePrivilege 988 wmic.exe Token: SeBackupPrivilege 988 wmic.exe Token: SeRestorePrivilege 988 wmic.exe Token: SeShutdownPrivilege 988 wmic.exe Token: SeDebugPrivilege 988 wmic.exe Token: SeSystemEnvironmentPrivilege 988 wmic.exe Token: SeRemoteShutdownPrivilege 988 wmic.exe Token: SeUndockPrivilege 988 wmic.exe Token: SeManageVolumePrivilege 988 wmic.exe Token: 33 988 wmic.exe Token: 34 988 wmic.exe Token: 35 988 wmic.exe Token: SeIncreaseQuotaPrivilege 988 wmic.exe Token: SeSecurityPrivilege 988 wmic.exe Token: SeTakeOwnershipPrivilege 988 wmic.exe Token: SeLoadDriverPrivilege 988 wmic.exe Token: SeSystemProfilePrivilege 988 wmic.exe Token: SeSystemtimePrivilege 988 wmic.exe Token: SeProfSingleProcessPrivilege 988 wmic.exe Token: SeIncBasePriorityPrivilege 988 wmic.exe Token: SeCreatePagefilePrivilege 988 wmic.exe Token: SeBackupPrivilege 988 wmic.exe Token: SeRestorePrivilege 988 wmic.exe Token: SeShutdownPrivilege 988 wmic.exe Token: SeDebugPrivilege 988 wmic.exe Token: SeSystemEnvironmentPrivilege 988 wmic.exe Token: SeRemoteShutdownPrivilege 988 wmic.exe Token: SeUndockPrivilege 988 wmic.exe Token: SeManageVolumePrivilege 988 wmic.exe Token: 33 988 wmic.exe Token: 34 988 wmic.exe Token: 35 988 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1724 wrote to memory of 988 1724 Njrat .204.exe 31 PID 1724 wrote to memory of 988 1724 Njrat .204.exe 31 PID 1724 wrote to memory of 988 1724 Njrat .204.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Njrat .204.exe"C:\Users\Admin\AppData\Local\Temp\Njrat .204.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:988
-