Analysis
-
max time kernel
79s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 07:46
Behavioral task
behavioral1
Sample
59d0282fcb01a6735aca82dfaf1098c6.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
59d0282fcb01a6735aca82dfaf1098c6.exe
Resource
win10v2004-20240419-en
General
-
Target
59d0282fcb01a6735aca82dfaf1098c6.exe
-
Size
4.3MB
-
MD5
59d0282fcb01a6735aca82dfaf1098c6
-
SHA1
affbbb62e498264858f37b6b540e952371a17831
-
SHA256
844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
-
SHA512
4449b3b6408fe112197f7b9405ba24eaaab294d13c661f3386b97fb0332c8bfba6c2daec8ec023a24732f55b330fc46b9ec93585a074e64bbb2aecd1e539f510
-
SSDEEP
98304:lfgl8Ig4nttHq4oaU/7jigBljWiqSmhJQ62W/ok6f/R4H6:l4KIJtaFBwiqhJSW/le/u6
Malware Config
Extracted
stealc
http://193.163.7.88
-
url_path
/a69d09b357e06b52.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
resource yara_rule behavioral2/memory/2036-0-0x0000000000400000-0x000000000085D000-memory.dmp family_hijackloader behavioral2/memory/2036-1-0x0000000000400000-0x000000000085D000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Deletes itself 1 IoCs
pid Process 2900 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3608 ptInst.exe 3332 ptInst.exe -
Loads dropped DLL 10 IoCs
pid Process 3608 ptInst.exe 3608 ptInst.exe 3608 ptInst.exe 3608 ptInst.exe 3608 ptInst.exe 3608 ptInst.exe 3332 ptInst.exe 3332 ptInst.exe 3332 ptInst.exe 3332 ptInst.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3332 set thread context of 2900 3332 ptInst.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 3708 1332 WerFault.exe 90 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 3608 ptInst.exe 3332 ptInst.exe 3332 ptInst.exe 2900 cmd.exe 2900 cmd.exe 1332 explorer.exe 1332 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3332 ptInst.exe 2900 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 2036 59d0282fcb01a6735aca82dfaf1098c6.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2036 wrote to memory of 3608 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 84 PID 2036 wrote to memory of 3608 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 84 PID 2036 wrote to memory of 3608 2036 59d0282fcb01a6735aca82dfaf1098c6.exe 84 PID 3608 wrote to memory of 3332 3608 ptInst.exe 85 PID 3608 wrote to memory of 3332 3608 ptInst.exe 85 PID 3608 wrote to memory of 3332 3608 ptInst.exe 85 PID 3332 wrote to memory of 2900 3332 ptInst.exe 86 PID 3332 wrote to memory of 2900 3332 ptInst.exe 86 PID 3332 wrote to memory of 2900 3332 ptInst.exe 86 PID 3332 wrote to memory of 2900 3332 ptInst.exe 86 PID 2900 wrote to memory of 1332 2900 cmd.exe 90 PID 2900 wrote to memory of 1332 2900 cmd.exe 90 PID 2900 wrote to memory of 1332 2900 cmd.exe 90 PID 2900 wrote to memory of 1332 2900 cmd.exe 90 PID 2900 wrote to memory of 1332 2900 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\59d0282fcb01a6735aca82dfaf1098c6.exe"C:\Users\Admin\AppData\Local\Temp\59d0282fcb01a6735aca82dfaf1098c6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\ClientAdvanced\ptInst.exeC:\Users\Admin\AppData\Local\Temp\ClientAdvanced\ptInst.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Roaming\ClientAdvanced\ptInst.exeC:\Users\Admin\AppData\Roaming\ClientAdvanced\ptInst.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 14006⤵
- Program crash
PID:3708
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 13321⤵PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
861KB
MD51b44de3c9d0840cd73eb52643c41330f
SHA1fba2c0424c99d880b6bbc86c4d004e9cd7e4b99c
SHA256cdda1b442ee5687481a7e6b1dd7e984c9ec52c87fba43b419a422e48f6e5b5e9
SHA512208002b65833a82a494fe97cadbf8226cf1d720e13063e25400e296e49dbbf2d9707ea3e2d97fee44851b66cede1c967027bb015ef3e6d3e96afad4d409419fe
-
Filesize
81KB
MD516b26bc43943531d7d7e379632ed4e63
SHA1565287de39649e59e653a3612478c2186096d70a
SHA256346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
-
Filesize
590KB
MD5a9ae0aaf4c69050690dafe14483ad700
SHA18a9891a8bb735df5ccd6a015095bcfd9ca354f5c
SHA256f5264200774c76d2d2010c7bc942e5cc9343fc4ab13acbace033941b25a0a7d5
SHA5121e53f0affc4e63e137c70d1607ed3212f49bbbb26313c0e490399e71546f72bfe79d5652088fcdfadb312cc791b8227756a238e9248b6fca869f3081a702497c
-
Filesize
21KB
MD529f6c4f91ce2b44f486bbce6def932cb
SHA195ebce2fe07a1b06a06629f0802e7446018aa27b
SHA256e3dffe5b2a016857b8c88c5ff26de88407abddd4798f88a471fbefdfa78dc444
SHA512a64e8af53fa14c214ddfc3c1f99afc2c85d05f81600bfdc5fcdb9ce6020b424e6bf13e691bead156e1d8dfd06ceb64fe84eaa2d5e99c4864990c0818d4a1756f
-
Filesize
427KB
MD571a0aa2d05e9174cefd568347bd9c70f
SHA1cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA5126e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
-
Filesize
938KB
MD5b15bac961f62448c872e1dc6d3931016
SHA11dcb61babb08fe5db711e379cb67335357a5db82
SHA256bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
SHA512932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370
-
Filesize
728KB
MD54a7346dd4450e84537d71a470b338de7
SHA19ab5865860693f8b28838a5cdfd014eb349fe493
SHA25698aab00d5269d87dd59eb99f260b83d0fa629f90ef9d4ec7403b2ddccffe849e
SHA5128e184133efcc0d778e06be362f94fd29a7cc83d925b25388608640e35e860ee40041e035fbb0a9b6966c11e52898eab1e86f471d11da5ab92fb5e70353c0c365