Analysis
-
max time kernel
150s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 12:38
Static task
static1
Behavioral task
behavioral1
Sample
KarolinaUtility.exe
Resource
win10v2004-20240419-en
General
-
Target
KarolinaUtility.exe
-
Size
1.1MB
-
MD5
152b2de8e77bf9112e5eef82523ab61f
-
SHA1
afa184a756ce657f5c39bb4c73f3e96ce859e001
-
SHA256
f4ed03aaa253034c9e245d8194454c207ad92aee87814ef513da2ca4db4ff0a3
-
SHA512
cac7740e857921ce7665f82c10cf1869428b5d07cf8649856639a503aa2d5efc1e1c11bc1dee9292039889b3476b648a4dd9ac8b1ebfefcafabfbda36b955a24
-
SSDEEP
24576:pspTEK2AoTg1u6m6fBwW2lT/kQyPcwp0St1ZmF7akZmx/LWwbE7HT8GwyIFH:6pIKus8vlYQev7ydZmxDWaEP2jH
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 808 netsh.exe 4600 netsh.exe 2732 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation KarolinaUtility.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 640 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 1944 KarolinaUtility.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe 640 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 640 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe Token: 33 640 server.exe Token: SeIncBasePriorityPrivilege 640 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1944 KarolinaUtility.exe 640 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1944 wrote to memory of 640 1944 KarolinaUtility.exe 87 PID 1944 wrote to memory of 640 1944 KarolinaUtility.exe 87 PID 1944 wrote to memory of 640 1944 KarolinaUtility.exe 87 PID 640 wrote to memory of 808 640 server.exe 88 PID 640 wrote to memory of 808 640 server.exe 88 PID 640 wrote to memory of 808 640 server.exe 88 PID 640 wrote to memory of 2732 640 server.exe 90 PID 640 wrote to memory of 2732 640 server.exe 90 PID 640 wrote to memory of 2732 640 server.exe 90 PID 640 wrote to memory of 4600 640 server.exe 91 PID 640 wrote to memory of 4600 640 server.exe 91 PID 640 wrote to memory of 4600 640 server.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:808
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
PID:2732
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5152b2de8e77bf9112e5eef82523ab61f
SHA1afa184a756ce657f5c39bb4c73f3e96ce859e001
SHA256f4ed03aaa253034c9e245d8194454c207ad92aee87814ef513da2ca4db4ff0a3
SHA512cac7740e857921ce7665f82c10cf1869428b5d07cf8649856639a503aa2d5efc1e1c11bc1dee9292039889b3476b648a4dd9ac8b1ebfefcafabfbda36b955a24
-
Filesize
5B
MD57eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d