hijackloader | 2018909ea853d972659d1dee439da81b963d8addb44c87ed533ca6320112cac1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63079f34-b294-4790-bfd5-bbad82995295/snss2.exe
Size

5.3MB
MD5

9e2eb8188c5a194014e46598cbc80c70
SHA1

d83d68b451836928c830808a9e408c8f2cce2210
SHA256

d265adb64a79f3b27e77e11e093342b2df14840266deedabf1189bc539cc58fb
SHA512

3ff5fa8c0f1eb5bd7bf46a5a27392fb0865d61d8c09549f9d7f29306e30275a5b3436c520f82142dc7d3780c468aab2e7c79361457f7c5aa11a132c1ec49c009
SSDEEP

98304:PlW75lC85H0kxwkL+Wd5Cz1ljuDDCNlSM:Pwhr+45CzvjBlh

Score

10^/10

hijackloader loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral3/memory/1548-0-0x0000000140000000-0x0000000140576000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 1952	1548	snss2.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1548	snss2.exe
1548	snss2.exe
1952	cmd.exe
1952	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1548	snss2.exe
1952	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1952	1548	snss2.exe	28
PID 1548 wrote to memory of 1952	1548	snss2.exe	28
PID 1548 wrote to memory of 1952	1548	snss2.exe	28
PID 1548 wrote to memory of 1952	1548	snss2.exe	28
PID 1548 wrote to memory of 1952	1548	snss2.exe	28
PID 1952 wrote to memory of 2080	1952	cmd.exe	30
PID 1952 wrote to memory of 2080	1952	cmd.exe	30
PID 1952 wrote to memory of 2080	1952	cmd.exe	30
PID 1952 wrote to memory of 2080	1952	cmd.exe	30
PID 1952 wrote to memory of 2080	1952	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\63079f34-b294-4790-bfd5-bbad82995295\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\63079f34-b294-4790-bfd5-bbad82995295\snss2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:2080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d4b6b1d

Filesize
1.0MB

MD5
5ea08d49372d2bee65590e4c785bad68

SHA1
b646a8674d44ca84494b82ad26b63623448ad36d

SHA256
965317fb4938d6a8e5679753ab19b7e5f6ec6bb520f9c4e901e420141f7b86a4

SHA512
ee7b4aab6b517f360bc60aba6adfb70c27caaf570c75b4a3484c865000b605f6cec096d0d09bf7b723a41f5fb4b7a566b960ca752582a407d244aaf5822e9df3

Download Submit
memory/1548-1-0x000000014033F000-0x0000000140345000-memory.dmp

Filesize
24KB

Download
memory/1548-0-0x0000000140000000-0x0000000140576000-memory.dmp

Filesize
5.5MB

Download
memory/1548-2-0x000007FEF5490000-0x000007FEF55E8000-memory.dmp

Filesize
1.3MB

Download
memory/1548-3-0x000007FEF5490000-0x000007FEF55E8000-memory.dmp

Filesize
1.3MB

Download
memory/1952-9-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1952-7-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1952-8-0x000000007483E000-0x0000000074840000-memory.dmp

Filesize
8KB

Download
memory/1952-6-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download
memory/1952-11-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1952-18-0x000000007483E000-0x0000000074840000-memory.dmp

Filesize
8KB

Download
memory/2080-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2080-13-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download
memory/2080-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2080-16-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2080-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download