Analysis
-
max time kernel
150s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
KarolinaUtility.exe
Resource
win10v2004-20240419-en
General
-
Target
KarolinaUtility.exe
-
Size
1.1MB
-
MD5
b1fd40e0d774fc34ca7e3f19aabf6ab1
-
SHA1
938e853894b0d5f157557bedfa531d49c1771f99
-
SHA256
809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43
-
SHA512
d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2
-
SSDEEP
24576:2X33UCjKexm3uKi5VL6hd/ZJpVg2tlejoPUL+5JH8ewPcfxqlB9Cw46:8jKC8O38/Hg2KsUWlwoxqz9C8
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4648 netsh.exe 1608 netsh.exe 4212 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation KarolinaUtility.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2216 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 4460 KarolinaUtility.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe 2216 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2216 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe Token: 33 2216 server.exe Token: SeIncBasePriorityPrivilege 2216 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4460 KarolinaUtility.exe 2216 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4460 wrote to memory of 2216 4460 KarolinaUtility.exe 87 PID 4460 wrote to memory of 2216 4460 KarolinaUtility.exe 87 PID 4460 wrote to memory of 2216 4460 KarolinaUtility.exe 87 PID 2216 wrote to memory of 4648 2216 server.exe 88 PID 2216 wrote to memory of 4648 2216 server.exe 88 PID 2216 wrote to memory of 4648 2216 server.exe 88 PID 2216 wrote to memory of 1608 2216 server.exe 90 PID 2216 wrote to memory of 1608 2216 server.exe 90 PID 2216 wrote to memory of 1608 2216 server.exe 90 PID 2216 wrote to memory of 4212 2216 server.exe 91 PID 2216 wrote to memory of 4212 2216 server.exe 91 PID 2216 wrote to memory of 4212 2216 server.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4648
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
PID:1608
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b1fd40e0d774fc34ca7e3f19aabf6ab1
SHA1938e853894b0d5f157557bedfa531d49c1771f99
SHA256809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43
SHA512d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2
-
Filesize
5B
MD57eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d