Analysis
-
max time kernel
153s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 01:01
Behavioral task
behavioral1
Sample
539a1c84e8f25f54c520bbf48b4aab6b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
539a1c84e8f25f54c520bbf48b4aab6b.exe
Resource
win10v2004-20221111-en
General
-
Target
539a1c84e8f25f54c520bbf48b4aab6b.exe
-
Size
159KB
-
MD5
539a1c84e8f25f54c520bbf48b4aab6b
-
SHA1
45872ded1cda755c5221958332e9863680b992e2
-
SHA256
79c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
-
SHA512
98fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
SSDEEP
3072:HcXCfxe+yJJFy5K7u77HeoT1V0Qh634VHyaJl1lH5:8XCloqKO1hJl1lH5
Malware Config
Extracted
njrat
im523
HacKed
181.214.130.17:50100
0c829ad93254e4900c3b4ce264339d97
-
reg_key
0c829ad93254e4900c3b4ce264339d97
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
iikofront.exepid process 1328 iikofront.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
iikofront.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c829ad93254e4900c3b4ce264339d97.exe iikofront.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c829ad93254e4900c3b4ce264339d97.exe iikofront.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iikofront.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\0c829ad93254e4900c3b4ce264339d97 = "\"C:\\Windows\\iikofront.exe\" .." iikofront.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0c829ad93254e4900c3b4ce264339d97 = "\"C:\\Windows\\iikofront.exe\" .." iikofront.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
iikofront.exedescription ioc process File created C:\autorun.inf iikofront.exe File opened for modification C:\autorun.inf iikofront.exe File created D:\autorun.inf iikofront.exe -
Drops file in Windows directory 3 IoCs
Processes:
539a1c84e8f25f54c520bbf48b4aab6b.exeiikofront.exedescription ioc process File created C:\Windows\iikofront.exe 539a1c84e8f25f54c520bbf48b4aab6b.exe File opened for modification C:\Windows\iikofront.exe 539a1c84e8f25f54c520bbf48b4aab6b.exe File opened for modification C:\Windows\iikofront.exe iikofront.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
iikofront.exepid process 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe 1328 iikofront.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iikofront.exepid process 1328 iikofront.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
iikofront.exedescription pid process Token: SeDebugPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe Token: 33 1328 iikofront.exe Token: SeIncBasePriorityPrivilege 1328 iikofront.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
539a1c84e8f25f54c520bbf48b4aab6b.exeiikofront.exedescription pid process target process PID 2024 wrote to memory of 1328 2024 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 2024 wrote to memory of 1328 2024 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 2024 wrote to memory of 1328 2024 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 2024 wrote to memory of 1328 2024 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 1328 wrote to memory of 668 1328 iikofront.exe netsh.exe PID 1328 wrote to memory of 668 1328 iikofront.exe netsh.exe PID 1328 wrote to memory of 668 1328 iikofront.exe netsh.exe PID 1328 wrote to memory of 668 1328 iikofront.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\539a1c84e8f25f54c520bbf48b4aab6b.exe"C:\Users\Admin\AppData\Local\Temp\539a1c84e8f25f54c520bbf48b4aab6b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\iikofront.exe"C:\Windows\iikofront.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\iikofront.exe" "iikofront.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\iikofront.exeFilesize
159KB
MD5539a1c84e8f25f54c520bbf48b4aab6b
SHA145872ded1cda755c5221958332e9863680b992e2
SHA25679c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
SHA51298fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
C:\Windows\iikofront.exeFilesize
159KB
MD5539a1c84e8f25f54c520bbf48b4aab6b
SHA145872ded1cda755c5221958332e9863680b992e2
SHA25679c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
SHA51298fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
memory/668-64-0x0000000000000000-mapping.dmp
-
memory/1328-56-0x0000000000000000-mapping.dmp
-
memory/1328-61-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/1328-63-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/2024-54-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/2024-55-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/2024-60-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/2024-62-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB