Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 07:46
Behavioral task
behavioral1
Sample
59d0282fcb01a6735aca82dfaf1098c6.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
59d0282fcb01a6735aca82dfaf1098c6.exe
Resource
win10v2004-20240419-en
General
-
Target
59d0282fcb01a6735aca82dfaf1098c6.exe
-
Size
4.3MB
-
MD5
59d0282fcb01a6735aca82dfaf1098c6
-
SHA1
affbbb62e498264858f37b6b540e952371a17831
-
SHA256
844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
-
SHA512
4449b3b6408fe112197f7b9405ba24eaaab294d13c661f3386b97fb0332c8bfba6c2daec8ec023a24732f55b330fc46b9ec93585a074e64bbb2aecd1e539f510
-
SSDEEP
98304:lfgl8Ig4nttHq4oaU/7jigBljWiqSmhJQ62W/ok6f/R4H6:l4KIJtaFBwiqhJSW/le/u6
Malware Config
Extracted
stealc
http://193.163.7.88
-
url_path
/a69d09b357e06b52.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
resource yara_rule behavioral1/memory/2128-0-0x0000000000400000-0x000000000085D000-memory.dmp family_hijackloader behavioral1/memory/2128-1-0x0000000000400000-0x000000000085D000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 2528 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2724 ptInst.exe 2688 ptInst.exe -
Loads dropped DLL 8 IoCs
pid Process 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 2724 ptInst.exe 2724 ptInst.exe 2724 ptInst.exe 2724 ptInst.exe 2688 ptInst.exe 2688 ptInst.exe 2688 ptInst.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2688 set thread context of 2528 2688 ptInst.exe 30 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1812 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 2724 ptInst.exe 2688 ptInst.exe 2688 ptInst.exe 2528 cmd.exe 2528 cmd.exe 2484 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2688 ptInst.exe 2528 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 2128 59d0282fcb01a6735aca82dfaf1098c6.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2724 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 28 PID 2128 wrote to memory of 2724 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 28 PID 2128 wrote to memory of 2724 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 28 PID 2128 wrote to memory of 2724 2128 59d0282fcb01a6735aca82dfaf1098c6.exe 28 PID 2724 wrote to memory of 2688 2724 ptInst.exe 29 PID 2724 wrote to memory of 2688 2724 ptInst.exe 29 PID 2724 wrote to memory of 2688 2724 ptInst.exe 29 PID 2724 wrote to memory of 2688 2724 ptInst.exe 29 PID 2688 wrote to memory of 2528 2688 ptInst.exe 30 PID 2688 wrote to memory of 2528 2688 ptInst.exe 30 PID 2688 wrote to memory of 2528 2688 ptInst.exe 30 PID 2688 wrote to memory of 2528 2688 ptInst.exe 30 PID 2688 wrote to memory of 2528 2688 ptInst.exe 30 PID 2528 wrote to memory of 2484 2528 cmd.exe 32 PID 2528 wrote to memory of 2484 2528 cmd.exe 32 PID 2528 wrote to memory of 2484 2528 cmd.exe 32 PID 2528 wrote to memory of 2484 2528 cmd.exe 32 PID 2528 wrote to memory of 2484 2528 cmd.exe 32 PID 2484 wrote to memory of 1772 2484 explorer.exe 34 PID 2484 wrote to memory of 1772 2484 explorer.exe 34 PID 2484 wrote to memory of 1772 2484 explorer.exe 34 PID 2484 wrote to memory of 1772 2484 explorer.exe 34 PID 1772 wrote to memory of 1812 1772 cmd.exe 36 PID 1772 wrote to memory of 1812 1772 cmd.exe 36 PID 1772 wrote to memory of 1812 1772 cmd.exe 36 PID 1772 wrote to memory of 1812 1772 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\59d0282fcb01a6735aca82dfaf1098c6.exe"C:\Users\Admin\AppData\Local\Temp\59d0282fcb01a6735aca82dfaf1098c6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\ClientAdvanced\ptInst.exeC:\Users\Admin\AppData\Local\Temp\ClientAdvanced\ptInst.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Roaming\ClientAdvanced\ptInst.exeC:\Users\Admin\AppData\Roaming\ClientAdvanced\ptInst.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "" & del "C:\ProgramData\*.dll"" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\timeout.exetimeout /t 57⤵
- Delays execution with timeout.exe
PID:1812
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD529f6c4f91ce2b44f486bbce6def932cb
SHA195ebce2fe07a1b06a06629f0802e7446018aa27b
SHA256e3dffe5b2a016857b8c88c5ff26de88407abddd4798f88a471fbefdfa78dc444
SHA512a64e8af53fa14c214ddfc3c1f99afc2c85d05f81600bfdc5fcdb9ce6020b424e6bf13e691bead156e1d8dfd06ceb64fe84eaa2d5e99c4864990c0818d4a1756f
-
Filesize
728KB
MD54a7346dd4450e84537d71a470b338de7
SHA19ab5865860693f8b28838a5cdfd014eb349fe493
SHA25698aab00d5269d87dd59eb99f260b83d0fa629f90ef9d4ec7403b2ddccffe849e
SHA5128e184133efcc0d778e06be362f94fd29a7cc83d925b25388608640e35e860ee40041e035fbb0a9b6966c11e52898eab1e86f471d11da5ab92fb5e70353c0c365
-
Filesize
861KB
MD555c0ded34c642c3553d37316e365a892
SHA11dec8c628d6dc889c78b8139cfa72f5b247a18b6
SHA256de16978f3e2ed51198c270125c9e0e31ccbea9a078e3576616985fc010d2eb41
SHA5125397686103af8e904166d6ab5d054551a7b91d27eec27408504b9404d8a84d33b0d724fc745fbef85eeb732b795851d14664c3169655b3926497455702df091c
-
Filesize
590KB
MD5a9ae0aaf4c69050690dafe14483ad700
SHA18a9891a8bb735df5ccd6a015095bcfd9ca354f5c
SHA256f5264200774c76d2d2010c7bc942e5cc9343fc4ab13acbace033941b25a0a7d5
SHA5121e53f0affc4e63e137c70d1607ed3212f49bbbb26313c0e490399e71546f72bfe79d5652088fcdfadb312cc791b8227756a238e9248b6fca869f3081a702497c
-
Filesize
427KB
MD571a0aa2d05e9174cefd568347bd9c70f
SHA1cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA5126e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
-
Filesize
938KB
MD5b15bac961f62448c872e1dc6d3931016
SHA11dcb61babb08fe5db711e379cb67335357a5db82
SHA256bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
SHA512932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370
-
Filesize
81KB
MD516b26bc43943531d7d7e379632ed4e63
SHA1565287de39649e59e653a3612478c2186096d70a
SHA256346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc