hijackloader | 9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7

General

Target

LisectAVT_2403002A_206.exe
Size

2.3MB
MD5

e585f3a248e9df2acd69bd1ccab87933
SHA1

63d8b10e143b1189cbd39a97866ada23ed0515e7
SHA256

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7
SHA512

c8dd113c0981f999fc23a63eadd2f8b3f3921b6a565479f2a2f1600d2fb7495a8288303d8eb6e7e3b28c4687242f8856a37c39a9da90accde8a1e4d018e244ee
SSDEEP

49152:KJfe3owTB0iX39aF7VnwFmvS/5pvXTOyPC3j5gMYKuQ7CzS3vv3jirr3jjWiTaOw:KNe3owTB0iX3gFtwFmvS/3PTNaTbuVz7

Score

10^/10

hijackloader discovery evasion loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2040-11-0x00000000009F0000-0x0000000000C74000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

LisectAVT_2403002A_206.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine	LisectAVT_2403002A_206.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	LisectAVT_2403002A_206.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

LisectAVT_2403002A_206.execmd.exe

description	pid	process	target process
PID 2040 set thread context of 3064	2040	LisectAVT_2403002A_206.exe	cmd.exe
PID 3064 set thread context of 3856	3064	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002A_206.execmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002A_206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

LisectAVT_2403002A_206.execmd.exe

pid process

2040 LisectAVT_2403002A_206.exe
2040 LisectAVT_2403002A_206.exe
3064 cmd.exe
3064 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

LisectAVT_2403002A_206.execmd.exe

pid process

2040 LisectAVT_2403002A_206.exe
3064 cmd.exe
3064 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3856 MSBuild.exe

pid	process
2040	LisectAVT_2403002A_206.exe
2040	LisectAVT_2403002A_206.exe
3064	cmd.exe
3064	cmd.exe

pid	process
2040	LisectAVT_2403002A_206.exe
3064	cmd.exe
3064	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3856	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LisectAVT_2403002A_206.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 3064	2040	LisectAVT_2403002A_206.exe	cmd.exe
PID 2040 wrote to memory of 3064	2040	LisectAVT_2403002A_206.exe	cmd.exe
PID 2040 wrote to memory of 3064	2040	LisectAVT_2403002A_206.exe	cmd.exe
PID 2040 wrote to memory of 3064	2040	LisectAVT_2403002A_206.exe	cmd.exe
PID 3064 wrote to memory of 3856	3064	cmd.exe	MSBuild.exe
PID 3064 wrote to memory of 3856	3064	cmd.exe	MSBuild.exe
PID 3064 wrote to memory of 3856	3064	cmd.exe	MSBuild.exe
PID 3064 wrote to memory of 3856	3064	cmd.exe	MSBuild.exe
PID 3064 wrote to memory of 3856	3064	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_206.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_206.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4cec9ee6
Filesize
710KB

MD5
a2b7760573b58fa8495efa758e950359

SHA1
fbfa387952204454ff3f3fcf7ba4996009ef4e84

SHA256
ae437188b4a29d660aaab0a83ee3c7c1b2e810a76eade42ba627aff539de224c

SHA512
3b6dd8ad760cb483cf47da4477c78def672faf8a3c5a66654bcce437020b4922a34c83bd4faf3827347fb6f38fa691cb99d57027afa497cc67f13fa362444a5e

Download Submit
memory/2040-12-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/2040-13-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp

Filesize
2.0MB

Download
memory/2040-14-0x00000000738A2000-0x00000000738A3000-memory.dmp

Filesize
4KB

Download
memory/2040-15-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/2040-16-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/2040-11-0x00000000009F0000-0x0000000000C74000-memory.dmp

Filesize
2.5MB

Download
memory/3064-23-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/3064-20-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp

Filesize
2.0MB

Download
memory/3064-22-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/3064-18-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/3064-26-0x0000000073890000-0x0000000073A0B000-memory.dmp

Filesize
1.5MB

Download
memory/3856-25-0x0000000072430000-0x0000000073684000-memory.dmp

Filesize
18.3MB

Download
memory/3856-29-0x00000000740AE000-0x00000000740AF000-memory.dmp

Filesize
4KB

Download
memory/3856-30-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/3856-31-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3856-32-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/3856-33-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/3856-34-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/3856-35-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads