Analysis
-
max time kernel
206s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 01:01
Behavioral task
behavioral1
Sample
539a1c84e8f25f54c520bbf48b4aab6b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
539a1c84e8f25f54c520bbf48b4aab6b.exe
Resource
win10v2004-20221111-en
General
-
Target
539a1c84e8f25f54c520bbf48b4aab6b.exe
-
Size
159KB
-
MD5
539a1c84e8f25f54c520bbf48b4aab6b
-
SHA1
45872ded1cda755c5221958332e9863680b992e2
-
SHA256
79c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
-
SHA512
98fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
SSDEEP
3072:HcXCfxe+yJJFy5K7u77HeoT1V0Qh634VHyaJl1lH5:8XCloqKO1hJl1lH5
Malware Config
Extracted
njrat
im523
HacKed
181.214.130.17:50100
0c829ad93254e4900c3b4ce264339d97
-
reg_key
0c829ad93254e4900c3b4ce264339d97
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
iikofront.exepid process 3208 iikofront.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
539a1c84e8f25f54c520bbf48b4aab6b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 539a1c84e8f25f54c520bbf48b4aab6b.exe -
Drops startup file 2 IoCs
Processes:
iikofront.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c829ad93254e4900c3b4ce264339d97.exe iikofront.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c829ad93254e4900c3b4ce264339d97.exe iikofront.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iikofront.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c829ad93254e4900c3b4ce264339d97 = "\"C:\\Windows\\iikofront.exe\" .." iikofront.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0c829ad93254e4900c3b4ce264339d97 = "\"C:\\Windows\\iikofront.exe\" .." iikofront.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
iikofront.exedescription ioc process File created D:\autorun.inf iikofront.exe File created C:\autorun.inf iikofront.exe File opened for modification C:\autorun.inf iikofront.exe -
Drops file in Windows directory 3 IoCs
Processes:
539a1c84e8f25f54c520bbf48b4aab6b.exeiikofront.exedescription ioc process File created C:\Windows\iikofront.exe 539a1c84e8f25f54c520bbf48b4aab6b.exe File opened for modification C:\Windows\iikofront.exe 539a1c84e8f25f54c520bbf48b4aab6b.exe File opened for modification C:\Windows\iikofront.exe iikofront.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
iikofront.exepid process 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe 3208 iikofront.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iikofront.exepid process 3208 iikofront.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
iikofront.exedescription pid process Token: SeDebugPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe Token: 33 3208 iikofront.exe Token: SeIncBasePriorityPrivilege 3208 iikofront.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
539a1c84e8f25f54c520bbf48b4aab6b.exeiikofront.exedescription pid process target process PID 1852 wrote to memory of 3208 1852 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 1852 wrote to memory of 3208 1852 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 1852 wrote to memory of 3208 1852 539a1c84e8f25f54c520bbf48b4aab6b.exe iikofront.exe PID 3208 wrote to memory of 4228 3208 iikofront.exe netsh.exe PID 3208 wrote to memory of 4228 3208 iikofront.exe netsh.exe PID 3208 wrote to memory of 4228 3208 iikofront.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\539a1c84e8f25f54c520bbf48b4aab6b.exe"C:\Users\Admin\AppData\Local\Temp\539a1c84e8f25f54c520bbf48b4aab6b.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\iikofront.exe"C:\Windows\iikofront.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\iikofront.exe" "iikofront.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\iikofront.exeFilesize
159KB
MD5539a1c84e8f25f54c520bbf48b4aab6b
SHA145872ded1cda755c5221958332e9863680b992e2
SHA25679c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
SHA51298fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
C:\Windows\iikofront.exeFilesize
159KB
MD5539a1c84e8f25f54c520bbf48b4aab6b
SHA145872ded1cda755c5221958332e9863680b992e2
SHA25679c358be65277404a46eab5f2eaa0d2938a70ba55a2396c4957bddf7699b441f
SHA51298fd44c98796321528cddece682fc78fdd91b650da6fca6c4e976db4fecc7b775015868eb549c5d626a359e293930a55511026db2bed7a884b02279575eb0720
-
memory/1852-132-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1852-133-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1852-137-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/3208-134-0x0000000000000000-mapping.dmp
-
memory/3208-138-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/3208-139-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4228-140-0x0000000000000000-mapping.dmp