hijackloader | 2018909ea853d972659d1dee439da81b963d8addb44c87ed533ca6320112cac1

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63079f34-b294-4790-bfd5-bbad82995295/snss2.exe
Size

5.3MB
MD5

9e2eb8188c5a194014e46598cbc80c70
SHA1

d83d68b451836928c830808a9e408c8f2cce2210
SHA256

d265adb64a79f3b27e77e11e093342b2df14840266deedabf1189bc539cc58fb
SHA512

3ff5fa8c0f1eb5bd7bf46a5a27392fb0865d61d8c09549f9d7f29306e30275a5b3436c520f82142dc7d3780c468aab2e7c79361457f7c5aa11a132c1ec49c009
SSDEEP

98304:PlW75lC85H0kxwkL+Wd5Cz1ljuDDCNlSM:Pwhr+45CzvjBlh

Score

10^/10

hijackloader rhadamanthys loader stealer

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral4/memory/4492-0-0x00007FF6F4A80000-0x00007FF6F4FF6000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2900 created 2812	2900	explorer.exe	49

Deletes itself 1 IoCs

pid	Process
1112	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 1112	4492	snss2.exe	84

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4492	snss2.exe
4492	snss2.exe
1112	cmd.exe
1112	cmd.exe
2900	explorer.exe
2900	explorer.exe
68	dialer.exe
68	dialer.exe
68	dialer.exe
68	dialer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4492	snss2.exe
1112	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 1112	4492	snss2.exe	84
PID 4492 wrote to memory of 1112	4492	snss2.exe	84
PID 4492 wrote to memory of 1112	4492	snss2.exe	84
PID 4492 wrote to memory of 1112	4492	snss2.exe	84
PID 1112 wrote to memory of 2900	1112	cmd.exe	87
PID 1112 wrote to memory of 2900	1112	cmd.exe	87
PID 1112 wrote to memory of 2900	1112	cmd.exe	87
PID 1112 wrote to memory of 2900	1112	cmd.exe	87
PID 2900 wrote to memory of 68	2900	explorer.exe	91
PID 2900 wrote to memory of 68	2900	explorer.exe	91
PID 2900 wrote to memory of 68	2900	explorer.exe	91
PID 2900 wrote to memory of 68	2900	explorer.exe	91
PID 2900 wrote to memory of 68	2900	explorer.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2812
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:68

C:\Users\Admin\AppData\Local\Temp\63079f34-b294-4790-bfd5-bbad82995295\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\63079f34-b294-4790-bfd5-bbad82995295\snss2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aa0098db

Filesize
1.0MB

MD5
1a031562036132e6daab9484f428f496

SHA1
d4f60033cccf94b37de79b8267b1530e31c96d9a

SHA256
b378831c3458fc9257deab59bec49c4b62b701c14a078a7992da2419f91d929f

SHA512
18090541a74be8c5e19132f3a4d13cabbc6c21d9ec764a79d4a83aa959556dd2e16061b3da25508412d7ad279d9dc93aca42d7b3d07d234c13d29aafe724341c

Download Submit
memory/68-21-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/68-25-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/68-28-0x00000000765C0000-0x00000000767D5000-memory.dmp

Filesize
2.1MB

Download
memory/68-26-0x00007FFA0D7F0000-0x00007FFA0D9E5000-memory.dmp

Filesize
2.0MB

Download
memory/1112-29-0x000000007562E000-0x0000000075630000-memory.dmp

Filesize
8KB

Download
memory/1112-6-0x00007FFA0D7F0000-0x00007FFA0D9E5000-memory.dmp

Filesize
2.0MB

Download
memory/1112-8-0x000000007562E000-0x0000000075630000-memory.dmp

Filesize
8KB

Download
memory/1112-7-0x0000000075620000-0x000000007579B000-memory.dmp

Filesize
1.5MB

Download
memory/1112-9-0x0000000075620000-0x000000007579B000-memory.dmp

Filesize
1.5MB

Download
memory/1112-11-0x0000000075620000-0x000000007579B000-memory.dmp

Filesize
1.5MB

Download
memory/2900-12-0x0000000000600000-0x000000000066F000-memory.dmp

Filesize
444KB

Download
memory/2900-14-0x0000000000600000-0x000000000066F000-memory.dmp

Filesize
444KB

Download
memory/2900-16-0x0000000003F20000-0x0000000004320000-memory.dmp

Filesize
4.0MB

Download
memory/2900-17-0x0000000003F20000-0x0000000004320000-memory.dmp

Filesize
4.0MB

Download
memory/2900-20-0x00000000765C0000-0x00000000767D5000-memory.dmp

Filesize
2.1MB

Download
memory/2900-13-0x00007FFA0D7F0000-0x00007FFA0D9E5000-memory.dmp

Filesize
2.0MB

Download
memory/2900-23-0x0000000000600000-0x000000000066F000-memory.dmp

Filesize
444KB

Download
memory/4492-1-0x00007FF6F4DBF000-0x00007FF6F4DC5000-memory.dmp

Filesize
24KB

Download
memory/4492-3-0x00007FF9EF6F0000-0x00007FF9EF862000-memory.dmp

Filesize
1.4MB

Download
memory/4492-2-0x00007FF9EF6F0000-0x00007FF9EF862000-memory.dmp

Filesize
1.4MB

Download
memory/4492-0-0x00007FF6F4A80000-0x00007FF6F4FF6000-memory.dmp

Filesize
5.5MB

Download