Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 12:41

General

  • Target

    KarolinaUtility.exe

  • Size

    1.1MB

  • MD5

    cfef55c48b388a3085d574a03f98b74f

  • SHA1

    c54ee4c110d92c2ff07bf68ed21ca657b9f247b6

  • SHA256

    123fd815b92af6c4c427bb148b627b98a29ebbbaf94173b3fe25d698ea287926

  • SHA512

    7cc7329aed2cf6b2d03806fe2b35f7a1350cef0e9d39fbb5742e8fac63ff0168a71b4ff3c5be4080a08d40226a474ee419ee0b0ff251a72088e82112174265d5

  • SSDEEP

    24576:ZqXbKWqP0dLKDV+p8/8pjIiqLDwiiR3ltKgFyaQdxpThdpQwi+L75:ZqXbeKPUi4+RVtN/QdxpdvXiG75

Score
10/10

Malware Config

Extracted

Family

njrat

C2

hakim32.ddns.net:2000

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe
    "C:\Users\Admin\AppData\Local\Temp\KarolinaUtility.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3632
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        PID:4656
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    1.1MB

    MD5

    cfef55c48b388a3085d574a03f98b74f

    SHA1

    c54ee4c110d92c2ff07bf68ed21ca657b9f247b6

    SHA256

    123fd815b92af6c4c427bb148b627b98a29ebbbaf94173b3fe25d698ea287926

    SHA512

    7cc7329aed2cf6b2d03806fe2b35f7a1350cef0e9d39fbb5742e8fac63ff0168a71b4ff3c5be4080a08d40226a474ee419ee0b0ff251a72088e82112174265d5

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    7eb860abfe2281298575b5216ef42bc6

    SHA1

    d4dfd7ac22dcd07da34306c40b4e5367a969cda5

    SHA256

    83d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689

    SHA512

    427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d

  • memory/1448-19-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB

  • memory/1448-48-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB

  • memory/1448-47-0x0000000000040000-0x00000000003C0000-memory.dmp

    Filesize

    3.5MB

  • memory/1448-12-0x0000000000040000-0x00000000003C0000-memory.dmp

    Filesize

    3.5MB

  • memory/1448-18-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB

  • memory/3284-3-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

    Filesize

    64KB

  • memory/3284-17-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB

  • memory/3284-16-0x0000000000EF0000-0x0000000001270000-memory.dmp

    Filesize

    3.5MB

  • memory/3284-0-0x0000000000EF0000-0x0000000001270000-memory.dmp

    Filesize

    3.5MB

  • memory/3284-2-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB

  • memory/3284-1-0x0000000074360000-0x0000000074911000-memory.dmp

    Filesize

    5.7MB