Resubmissions

28/04/2024, 12:37

240428-ptqhyagd2s 10

28/04/2024, 12:34

240428-przc3agc6x 10

Analysis

  • max time kernel
    150s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 12:34

General

  • Target

    KarolinaUtility.exe

  • Size

    1.1MB

  • MD5

    b1fd40e0d774fc34ca7e3f19aabf6ab1

  • SHA1

    938e853894b0d5f157557bedfa531d49c1771f99

  • SHA256

    809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43

  • SHA512

    d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2

  • SSDEEP

    24576:2X33UCjKexm3uKi5VL6hd/ZJpVg2tlejoPUL+5JH8ewPcfxqlB9Cw46:8jKC8O38/Hg2KsUWlwoxqz9C8

Score
10/10

Malware Config

Extracted

Family

njrat

C2

hakim32.ddns.net:2000

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe
    "C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4648
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        PID:1608
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    1.1MB

    MD5

    b1fd40e0d774fc34ca7e3f19aabf6ab1

    SHA1

    938e853894b0d5f157557bedfa531d49c1771f99

    SHA256

    809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43

    SHA512

    d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    7eb860abfe2281298575b5216ef42bc6

    SHA1

    d4dfd7ac22dcd07da34306c40b4e5367a969cda5

    SHA256

    83d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689

    SHA512

    427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d

  • memory/2216-18-0x00000000746B0000-0x0000000074C61000-memory.dmp

    Filesize

    5.7MB

  • memory/2216-48-0x00000000034A0000-0x00000000034B0000-memory.dmp

    Filesize

    64KB

  • memory/2216-47-0x00000000746B0000-0x0000000074C61000-memory.dmp

    Filesize

    5.7MB

  • memory/2216-46-0x0000000000450000-0x00000000007D0000-memory.dmp

    Filesize

    3.5MB

  • memory/2216-14-0x0000000000450000-0x00000000007D0000-memory.dmp

    Filesize

    3.5MB

  • memory/4460-3-0x0000000003340000-0x0000000003350000-memory.dmp

    Filesize

    64KB

  • memory/4460-16-0x0000000000CC0000-0x0000000001040000-memory.dmp

    Filesize

    3.5MB

  • memory/4460-17-0x00000000746B0000-0x0000000074C61000-memory.dmp

    Filesize

    5.7MB

  • memory/4460-0-0x0000000000CC0000-0x0000000001040000-memory.dmp

    Filesize

    3.5MB

  • memory/4460-2-0x00000000746B0000-0x0000000074C61000-memory.dmp

    Filesize

    5.7MB

  • memory/4460-1-0x00000000746B0000-0x0000000074C61000-memory.dmp

    Filesize

    5.7MB