Analysis
-
max time kernel
61s -
max time network
62s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28/04/2024, 12:37
Static task
static1
Errors
General
-
Target
KarolinaUtility.exe
-
Size
1.1MB
-
MD5
b1fd40e0d774fc34ca7e3f19aabf6ab1
-
SHA1
938e853894b0d5f157557bedfa531d49c1771f99
-
SHA256
809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43
-
SHA512
d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2
-
SSDEEP
24576:2X33UCjKexm3uKi5VL6hd/ZJpVg2tlejoPUL+5JH8ewPcfxqlB9Cw46:8jKC8O38/Hg2KsUWlwoxqz9C8
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2316 netsh.exe 4884 netsh.exe 3864 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 3032 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 204 KarolinaUtility.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe 3032 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 server.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: SeDebugPrivilege 4992 taskmgr.exe Token: SeSystemProfilePrivilege 4992 taskmgr.exe Token: SeCreateGlobalPrivilege 4992 taskmgr.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe Token: 33 3032 server.exe Token: SeIncBasePriorityPrivilege 3032 server.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe 4992 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 204 KarolinaUtility.exe 3032 server.exe 376 LogonUI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 204 wrote to memory of 3032 204 KarolinaUtility.exe 74 PID 204 wrote to memory of 3032 204 KarolinaUtility.exe 74 PID 204 wrote to memory of 3032 204 KarolinaUtility.exe 74 PID 3032 wrote to memory of 2316 3032 server.exe 75 PID 3032 wrote to memory of 2316 3032 server.exe 75 PID 3032 wrote to memory of 2316 3032 server.exe 75 PID 3032 wrote to memory of 4884 3032 server.exe 77 PID 3032 wrote to memory of 4884 3032 server.exe 77 PID 3032 wrote to memory of 4884 3032 server.exe 77 PID 3032 wrote to memory of 3864 3032 server.exe 78 PID 3032 wrote to memory of 3864 3032 server.exe 78 PID 3032 wrote to memory of 3864 3032 server.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2316
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
PID:4884
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3864
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a9c055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b1fd40e0d774fc34ca7e3f19aabf6ab1
SHA1938e853894b0d5f157557bedfa531d49c1771f99
SHA256809ccbd6dc5ce0e1e654f8dc89aa5de50e3bebc9bd6d5c69259eecf9240d8a43
SHA512d70f95b2bff8af647115cb958180f1ef327ad57f48f22a4113480bd818005de55f2457c381c9486adb21e2340efe56dc2803a21ecb55075b8e1a5e1513b946c2
-
Filesize
5B
MD57eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d