Analysis
-
max time kernel
139s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 13:46
Behavioral task
behavioral1
Sample
807675A50EE7545E02DAEAC9822842B7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
807675A50EE7545E02DAEAC9822842B7.exe
Resource
win10v2004-20240419-en
General
-
Target
807675A50EE7545E02DAEAC9822842B7.exe
-
Size
922KB
-
MD5
807675a50ee7545e02daeac9822842b7
-
SHA1
967094e1ef9155a031687396ba99855e54870612
-
SHA256
2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
-
SHA512
12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
-
SSDEEP
24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4
Malware Config
Extracted
stealc
http://193.163.7.88
-
url_path
/a69d09b357e06b52.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/memory/4636-0-0x00000000002E0000-0x00000000003C8000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 884 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4636 set thread context of 884 4636 807675A50EE7545E02DAEAC9822842B7.exe 85 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1104 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4636 807675A50EE7545E02DAEAC9822842B7.exe 4636 807675A50EE7545E02DAEAC9822842B7.exe 884 cmd.exe 884 cmd.exe 3492 explorer.exe 3492 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4636 807675A50EE7545E02DAEAC9822842B7.exe 884 cmd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4636 wrote to memory of 884 4636 807675A50EE7545E02DAEAC9822842B7.exe 85 PID 4636 wrote to memory of 884 4636 807675A50EE7545E02DAEAC9822842B7.exe 85 PID 4636 wrote to memory of 884 4636 807675A50EE7545E02DAEAC9822842B7.exe 85 PID 4636 wrote to memory of 884 4636 807675A50EE7545E02DAEAC9822842B7.exe 85 PID 884 wrote to memory of 3492 884 cmd.exe 99 PID 884 wrote to memory of 3492 884 cmd.exe 99 PID 884 wrote to memory of 3492 884 cmd.exe 99 PID 884 wrote to memory of 3492 884 cmd.exe 99 PID 3492 wrote to memory of 1260 3492 explorer.exe 102 PID 3492 wrote to memory of 1260 3492 explorer.exe 102 PID 3492 wrote to memory of 1260 3492 explorer.exe 102 PID 1260 wrote to memory of 1104 1260 cmd.exe 104 PID 1260 wrote to memory of 1104 1260 cmd.exe 104 PID 1260 wrote to memory of 1104 1260 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & del "C:\ProgramData\*.dll"" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
PID:1104
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
861KB
MD50a0544e78bf302abd28cc136200a2fbc
SHA1b39295e16e852c0360a4af4bf9c181f9d3e1267a
SHA256669e28f238db743a92ae24c4e5046fc1cb356cd389cf849ed86669ac6779a059
SHA51260627e684d089c2607e73b102b25adedcc1f364ce76bcf9599348aa3e5f0e376b8791f7c64046ae0c742dd292e7b711bcffc0fb93ad94aea627ef8382947faa1