Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
KarolinaUtility.exe
Resource
win10v2004-20240426-en
General
-
Target
KarolinaUtility.exe
-
Size
1.1MB
-
MD5
cfef55c48b388a3085d574a03f98b74f
-
SHA1
c54ee4c110d92c2ff07bf68ed21ca657b9f247b6
-
SHA256
123fd815b92af6c4c427bb148b627b98a29ebbbaf94173b3fe25d698ea287926
-
SHA512
7cc7329aed2cf6b2d03806fe2b35f7a1350cef0e9d39fbb5742e8fac63ff0168a71b4ff3c5be4080a08d40226a474ee419ee0b0ff251a72088e82112174265d5
-
SSDEEP
24576:ZqXbKWqP0dLKDV+p8/8pjIiqLDwiiR3ltKgFyaQdxpThdpQwi+L75:ZqXbeKPUi4+RVtN/QdxpdvXiG75
Malware Config
Extracted
njrat
hakim32.ddns.net:2000
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4656 netsh.exe 2220 netsh.exe 3632 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation KarolinaUtility.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9832c3e9cd3e821e5314be8029b17d5eWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 1448 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 3284 KarolinaUtility.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe 1448 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1448 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe Token: 33 1448 server.exe Token: SeIncBasePriorityPrivilege 1448 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3284 KarolinaUtility.exe 1448 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3284 wrote to memory of 1448 3284 KarolinaUtility.exe 85 PID 3284 wrote to memory of 1448 3284 KarolinaUtility.exe 85 PID 3284 wrote to memory of 1448 3284 KarolinaUtility.exe 85 PID 1448 wrote to memory of 3632 1448 server.exe 86 PID 1448 wrote to memory of 3632 1448 server.exe 86 PID 1448 wrote to memory of 3632 1448 server.exe 86 PID 1448 wrote to memory of 4656 1448 server.exe 88 PID 1448 wrote to memory of 4656 1448 server.exe 88 PID 1448 wrote to memory of 4656 1448 server.exe 88 PID 1448 wrote to memory of 2220 1448 server.exe 89 PID 1448 wrote to memory of 2220 1448 server.exe 89 PID 1448 wrote to memory of 2220 1448 server.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3632
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
PID:4656
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5cfef55c48b388a3085d574a03f98b74f
SHA1c54ee4c110d92c2ff07bf68ed21ca657b9f247b6
SHA256123fd815b92af6c4c427bb148b627b98a29ebbbaf94173b3fe25d698ea287926
SHA5127cc7329aed2cf6b2d03806fe2b35f7a1350cef0e9d39fbb5742e8fac63ff0168a71b4ff3c5be4080a08d40226a474ee419ee0b0ff251a72088e82112174265d5
-
Filesize
5B
MD57eb860abfe2281298575b5216ef42bc6
SHA1d4dfd7ac22dcd07da34306c40b4e5367a969cda5
SHA25683d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689
SHA512427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d