Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/04/2024, 12:38
Static task
static1
Behavioral task
behavioral1
Sample
KarolinaUtility.exe
Resource
win10v2004-20240419-en
General
-
Target
KarolinaUtility.exe
-
Size
1.1MB
-
MD5
152b2de8e77bf9112e5eef82523ab61f
-
SHA1
afa184a756ce657f5c39bb4c73f3e96ce859e001
-
SHA256
f4ed03aaa253034c9e245d8194454c207ad92aee87814ef513da2ca4db4ff0a3
-
SHA512
cac7740e857921ce7665f82c10cf1869428b5d07cf8649856639a503aa2d5efc1e1c11bc1dee9292039889b3476b648a4dd9ac8b1ebfefcafabfbda36b955a24
-
SSDEEP
24576:pspTEK2AoTg1u6m6fBwW2lT/kQyPcwp0St1ZmF7akZmx/LWwbE7HT8GwyIFH:6pIKus8vlYQev7ydZmxDWaEP2jH
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1536 netsh.exe 2864 netsh.exe 3892 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 5024 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 4420 KarolinaUtility.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe 5024 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5024 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe Token: 33 5024 server.exe Token: SeIncBasePriorityPrivilege 5024 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4420 KarolinaUtility.exe 5024 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4420 wrote to memory of 5024 4420 KarolinaUtility.exe 80 PID 4420 wrote to memory of 5024 4420 KarolinaUtility.exe 80 PID 4420 wrote to memory of 5024 4420 KarolinaUtility.exe 80 PID 5024 wrote to memory of 1536 5024 server.exe 81 PID 5024 wrote to memory of 1536 5024 server.exe 81 PID 5024 wrote to memory of 1536 5024 server.exe 81 PID 5024 wrote to memory of 2864 5024 server.exe 83 PID 5024 wrote to memory of 2864 5024 server.exe 83 PID 5024 wrote to memory of 2864 5024 server.exe 83 PID 5024 wrote to memory of 3892 5024 server.exe 84 PID 5024 wrote to memory of 3892 5024 server.exe 84 PID 5024 wrote to memory of 3892 5024 server.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1536
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
PID:2864
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5152b2de8e77bf9112e5eef82523ab61f
SHA1afa184a756ce657f5c39bb4c73f3e96ce859e001
SHA256f4ed03aaa253034c9e245d8194454c207ad92aee87814ef513da2ca4db4ff0a3
SHA512cac7740e857921ce7665f82c10cf1869428b5d07cf8649856639a503aa2d5efc1e1c11bc1dee9292039889b3476b648a4dd9ac8b1ebfefcafabfbda36b955a24
-
Filesize
5B
MD57eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d