hijackloader | 6b953bd9494e5f61c1ede1ec264bf6df54911c4edefecd2eda3fb11fdbd10785

Analysis

max time kernel
138s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca5b2387c10786a2306a98166581a60_NEIKI.exe
Size

758KB
MD5

aca5b2387c10786a2306a98166581a60
SHA1

3338f237b591b0775b45dcfab61ca79dc696a098
SHA256

6b953bd9494e5f61c1ede1ec264bf6df54911c4edefecd2eda3fb11fdbd10785
SHA512

91146233039cdc73979930bc77405d0f3f21176c1399f8cae87e2e1425da015255f6a66857a76538e165c4ec2ae75587e70229818e1039d9c592721a0141b457
SSDEEP

12288:KUZy93y/u81hwyayMUx9XZ0rajhHCYdzyU1WjTA1Ax9Ctn:KUZKyuwLayTor+NyRjk1Me

Score

10^/10

hijackloader sectoprat bootkit loader persistence rat spyware trojan

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233f8-79.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1532-144-0x0000000001300000-0x00000000013D2000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4596 created 3476	4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe	56

Executes dropped EXE 1 IoCs

pid	Process
4512	XWin_MobaX_1.16.3.exe

Loads dropped DLL 17 IoCs

pid	Process
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe
4512	XWin_MobaX_1.16.3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aca5b2387c10786a2306a98166581a60_NEIKI.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 2500	4512	XWin_MobaX_1.16.3.exe	94
PID 2500 set thread context of 1532	2500	cmd.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe
4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe
4512	XWin_MobaX_1.16.3.exe
2500	cmd.exe
2500	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4512	XWin_MobaX_1.16.3.exe
2500	cmd.exe
2500	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4512	4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe	93
PID 4596 wrote to memory of 4512	4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe	93
PID 4596 wrote to memory of 4512	4596	aca5b2387c10786a2306a98166581a60_NEIKI.exe	93
PID 4512 wrote to memory of 2500	4512	XWin_MobaX_1.16.3.exe	94
PID 4512 wrote to memory of 2500	4512	XWin_MobaX_1.16.3.exe	94
PID 4512 wrote to memory of 2500	4512	XWin_MobaX_1.16.3.exe	94
PID 4512 wrote to memory of 2500	4512	XWin_MobaX_1.16.3.exe	94
PID 2500 wrote to memory of 1532	2500	cmd.exe	102
PID 2500 wrote to memory of 1532	2500	cmd.exe	102
PID 2500 wrote to memory of 1532	2500	cmd.exe	102
PID 2500 wrote to memory of 1532	2500	cmd.exe	102
PID 2500 wrote to memory of 1532	2500	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\aca5b2387c10786a2306a98166581a60_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\aca5b2387c10786a2306a98166581a60_NEIKI.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4596
- C:\Users\Admin\AppData\Roaming\winhttpcom\XWin_MobaX_1.16.3.exe
  C:\Users\Admin\AppData\Roaming\winhttpcom\XWin_MobaX_1.16.3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c833d240

Filesize
1.5MB

MD5
25684968e7ada8a2f2be03f90bd0b1a0

SHA1
ac3966afb7bb99f949d1961de500f32973a43c3c

SHA256
66d61c9fcf47605f8d5771252e136902ffee879f4b1f76a222fbb3bede1050e1

SHA512
8f62b079aa9b8abf0fbb301b78de3337bbb0b3d11730b0292cd5115a3ccc4f29befb64c4cf91aa9ba30fc3d11e3a28284f4632a961ded76be325d98ea044bc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CA6.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CD8.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\XWin_MobaX_1.16.3.exe

Filesize
3.2MB

MD5
848b72279f1fd742d52455627d14d4a9

SHA1
d199dca7314f72e0ecaba485cbdec076648449f0

SHA256
35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa

SHA512
61d15ca4bec54b2d1cf065bd4a69d3bfbf84e557643c7ce929ed5520d3548dc373f43707a25dc5df50a8a456236020b20adbeb4e7d0ed0a05c69e22312f33c83

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\faltboat.dxf

Filesize
1.2MB

MD5
e36b5a2a0a4125fac71bab2831c66529

SHA1
a980a02dec09f2e53214fb4a3af614fe1d2affbe

SHA256
098bc1bbe770dabe179d32bd9a452c557e6d6b8bc7a127159f61a184b9d8dab5

SHA512
65322ae2a5f9a0be89d9fc52d3c5d884c60237d5cd7e8e67b4c497db4f8af734c70086fcfd115826faa2c5a3a26e03b23dc5ea2656f7e80997d021a28de59b4c

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libX11-6.dll

Filesize
1.2MB

MD5
3cd9af46753f2a618d15157372d0d2bc

SHA1
f2a1781b1a6d33338db4d9725b28f15d8a410903

SHA256
497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628

SHA512
925097106554f6eac698ba933e32fb82c1405c7ccfe284b27f1558e9ab46139506b1e981721aeafaf2e0d595dbdfce3587c4056c6920fdffb0b2f2bdbdcdb38d

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libX11-xcb-1.dll

Filesize
15KB

MD5
2b781f4138e302cde8e6e488c1899a86

SHA1
b85bc2641fae42a27a159d3bd74f44b3565eb434

SHA256
6a3ebeb389b54015a447b11bcf07348250b530a8ce142bf4e99fe8f1c030caa3

SHA512
00a7cdb52ff396552cdf9f14f30cd2e5c3a0713c69b18ecea9aeb96049cba1eaa47022c23157fb5b175c8b3968e1d85d89f72876ba5cfcd97e77492ce2eb03c1

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libXau-6.dll

Filesize
20KB

MD5
b6f0655bed934503621fcf94ba449a19

SHA1
f0a5d9eefff5f3bcd2e23b9db748c50cffc1c6e8

SHA256
0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed

SHA512
77a10ae1748e5d76288c59933f3f41d4dc7a690b1f2bc9bff0b761f9f2c5331f868dc0259ffe4c4672e1806c33f3f9d0fe0a8b09b10e06333d2590f623c5b284

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libXdmcp-6.dll

Filesize
28KB

MD5
7d4f4d3bc6ab6c3ea2097a7ecd018728

SHA1
2434fbad089ac85eda43c0b0e911ab437b4dfe63

SHA256
7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba

SHA512
f9b64cbcd7c7c7b4e942c3da74fb280762d038f974fc23d1e0431b15787aefc87464cda121aa8fccf499af46e345dd65aa5fb5cfee1cb45dba6e5dd79b01a1d8

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libXfont-1.dll

Filesize
174KB

MD5
6a47427b646f556621917a93b9dbabb1

SHA1
47ebf94eb7b00e920c00d7b5034388f796237d2b

SHA256
b6553159c0c33efd882fc030add02b2622e9e49f8f0574a1f82d6bca4f60d99c

SHA512
9670a62af9c1c34fef1dc563d8f6a44fdaf276246d8154d626852be2b1b9f4119f0468b0acc7718c88feca48b9dfbd9e9f0d9372dad72c0c0eb63f5ce6119730

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libdl.dll

Filesize
17KB

MD5
ed925bdab51f49813686b62eb82fb4a4

SHA1
bc7c742b92a5b47089e0b400a8a80bb217e775fe

SHA256
e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62

SHA512
5be99a6b0e2091fe37ff50d5a9c4fa789db27b5ba108801e4d18e99ae584ae1bc91ba3339916dff8a323155815e660f43ca54ffcc7c14c1e3f90600aedb54bd8

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libfontenc-1.dll

Filesize
31KB

MD5
0886859eb6bc88c13797ae668fa74998

SHA1
d00c0f848174895000d5d1fc40e35cf6f9c56e18

SHA256
cacc9c998d90264e088844ffd7a8a9439de706cdf17d6bbfde14c0609ef96aa7

SHA512
7cfff08756c6fb294d6225e28944590638b43a7131667b1de13a150ad18cf1db155a93e80053d234824dd452b00aa98576be58fd870e04451c2259736680c30c

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libgcc_s_dw2-1.dll

Filesize
114KB

MD5
d35376c0d447108b2f9d64d4c40014f8

SHA1
c68129e8bf6cdaaa318c5aad8974efbc2b7ce39a

SHA256
c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225

SHA512
c46af0bbd3bca6e12125750a5b1ca4f17f85f84729b1c1c01ee76de3704bcdb090212202cf449458833f8ee92e9a46c8758cbd069747de534e2984dccbe9f24d

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libwinpthread-1.dll

Filesize
96KB

MD5
c6e473bbed2fa26953bebfdd0b66419f

SHA1
226e16684e02c6331f7ee82d02d058e2c55f8ba5

SHA256
620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af

SHA512
277419eafcec04618304f19b8b5b4aa55e0233fd6118d92a41d51447f210be382aac9098f3476b9d5891ec180c4d3450fa556705e6cd0e6e2b414097860f0e9b

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libxcb-1.dll

Filesize
132KB

MD5
dd32258ff91ef581b9bf08dc0e3d40de

SHA1
958899133d0c097d0c8c58212ec793a6beb1c4d0

SHA256
76512596fecc3344cb5b6784bd3ebcd070f933f8eaeea37374538bd028e3d0c6

SHA512
e47996624f86f0d6caa93629605c9c27292f2cd81f148eb658f1d5fb2993aac0a222e7a6e6104b77a68246ecccf89cee75d25e092cd58f2f919447ae4fc963d7

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libxcb-image-0.dll

Filesize
25KB

MD5
a3718d24f0e6eae9d6121a1219381ae9

SHA1
a3377f64d8fb6162f6280d3d924626c1fc6a2fe7

SHA256
cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327

SHA512
43f9c760be222490d43cbd9589b4afbc64759919993a1957a13a753cfcc9d94059dba0b5400a745c377c7bea1f02f4f8f6f952bee5b7ed33f6a49efaec62e9f6

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libxcb-shm-0.dll

Filesize
19KB

MD5
557ed85a1d8a3308e552a77a9902e8cf

SHA1
a9acf7a1db500a734e95038b29c0bd90f7af59e7

SHA256
e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef

SHA512
110acfc0b886a1ff77b5452e2f813213630ba2eb4610e06942a59da78e516e05893b049c0d1ddcc077ebabb3a9490cf84fb41f31b62822c9365b60a1b38fd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\libxcb-util-1.dll

Filesize
23KB

MD5
ee6788d3d3750421e01519a27f86634e

SHA1
48f4c7dc7bd1208f07e4176e78f035d36682d687

SHA256
b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60

SHA512
12ef0ac4cf9c8461044317e693bcfabdb4beb34a222b635ba50f6652b5a91b92ff20cb19e916ac60dca3e8314b7d8cec710a1c730374bb8f260b8d94f57c9775

Download Submit
C:\Users\Admin\AppData\Roaming\winhttpcom\zlib1.dll

Filesize
90KB

MD5
7e507af32ca219d2f832cf8d90ca805b

SHA1
4eb56c6f4184efc5a6bb5c7cab46547cfa769744

SHA256
3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57

SHA512
d19c6a0a0798db42490631aa9e30da4200e0b687250daa5ec8bcfe68ae2589a523adeacb6c77544488ddc7610fa84be7477a92c2a27605537a0caec2449c87f1

Download Submit
memory/1532-150-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/1532-151-0x0000000006170000-0x00000000061C0000-memory.dmp

Filesize
320KB

Download
memory/1532-152-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/1532-171-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/1532-172-0x0000000001830000-0x000000000186C000-memory.dmp

Filesize
240KB

Download
memory/1532-149-0x0000000006FB0000-0x00000000074DC000-memory.dmp

Filesize
5.2MB

Download
memory/1532-148-0x00000000064D0000-0x0000000006A74000-memory.dmp

Filesize
5.6MB

Download
memory/1532-147-0x0000000005950000-0x00000000059C6000-memory.dmp

Filesize
472KB

Download
memory/1532-146-0x0000000005D50000-0x0000000005F12000-memory.dmp

Filesize
1.8MB

Download
memory/1532-145-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/1532-144-0x0000000001300000-0x00000000013D2000-memory.dmp

Filesize
840KB

Download
memory/2500-138-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/2500-132-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/2500-141-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4512-87-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/4512-115-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4512-88-0x000000006C370000-0x000000006C4B3000-memory.dmp

Filesize
1.3MB

Download
memory/4512-82-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4512-86-0x000000006C4C0000-0x000000006C4CC000-memory.dmp

Filesize
48KB

Download
memory/4512-83-0x0000000000400000-0x000000000074B000-memory.dmp

Filesize
3.3MB

Download
memory/4512-84-0x000000006E010000-0x000000006E02C000-memory.dmp

Filesize
112KB

Download
memory/4512-80-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4512-81-0x00007FFCD6B70000-0x00007FFCD6D65000-memory.dmp

Filesize
2.0MB

Download
memory/4512-89-0x000000006DC50000-0x000000006DC5D000-memory.dmp

Filesize
52KB

Download
memory/4512-93-0x000000006DFD0000-0x000000006DFF3000-memory.dmp

Filesize
140KB

Download
memory/4512-90-0x000000006DBF0000-0x000000006DBFE000-memory.dmp

Filesize
56KB

Download
memory/4512-92-0x000000006DB60000-0x000000006DB93000-memory.dmp

Filesize
204KB

Download
memory/4512-91-0x000000006DBC0000-0x000000006DBCF000-memory.dmp

Filesize
60KB

Download
memory/4512-94-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/4512-95-0x000000006DBE0000-0x000000006DBED000-memory.dmp

Filesize
52KB

Download
memory/4512-96-0x000000006E000000-0x000000006E00F000-memory.dmp

Filesize
60KB

Download
memory/4512-97-0x000000006DAB0000-0x000000006DACE000-memory.dmp

Filesize
120KB

Download
memory/4512-85-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/4596-9-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4596-13-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4596-114-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4596-113-0x00000000735C2000-0x00000000735C3000-memory.dmp

Filesize
4KB

Download
memory/4596-45-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download
memory/4596-44-0x00000000735C2000-0x00000000735C3000-memory.dmp

Filesize
4KB

Download
memory/4596-11-0x00007FFCD6B70000-0x00007FFCD6D65000-memory.dmp

Filesize
2.0MB

Download
memory/4596-10-0x00000000735B0000-0x000000007372B000-memory.dmp

Filesize
1.5MB

Download