hijackloader | 78e428ffa6d4bbcd4306de8f487d58316193cf7e6f56fca39e32859c2920b782

General

Target

LisectAVT_2403002A_207.exe
Size

5.4MB
MD5

af0196851c9279e5260a065bb8f0303a
SHA1

9fc63107b27e24184e0b28a717639f6ba590ac3e
SHA256

78e428ffa6d4bbcd4306de8f487d58316193cf7e6f56fca39e32859c2920b782
SHA512

211106407975ae5b7fef0cb6ee94137308e01bd6036243730a99f89f5b94c65ef3a90b57b3ea6f7d86b1ebf15220197e971b11666f7b97c742c4d985bf9dac3b
SSDEEP

98304:tNe3owTB0iX3gFtwFmvS/1wPVeBEecJkUv6LzS3vv3jirr3jjWiTaOvifviOr8IG:tU3owTB9X3atwFk1VeBEeEkTbI0nctaP

Score

10^/10

hijackloader discovery evasion loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2428-9-0x0000000000430000-0x000000000074A000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

LisectAVT_2403002A_207.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine	LisectAVT_2403002A_207.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	LisectAVT_2403002A_207.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

LisectAVT_2403002A_207.execmd.exe

description	pid	process	target process
PID 2428 set thread context of 2560	2428	LisectAVT_2403002A_207.exe	cmd.exe
PID 2560 set thread context of 3704	2560	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002A_207.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002A_207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

LisectAVT_2403002A_207.execmd.exe

pid process

2428 LisectAVT_2403002A_207.exe
2428 LisectAVT_2403002A_207.exe
2560 cmd.exe
2560 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

LisectAVT_2403002A_207.execmd.exe

pid process

2428 LisectAVT_2403002A_207.exe
2560 cmd.exe
2560 cmd.exe

pid	process
2428	LisectAVT_2403002A_207.exe
2428	LisectAVT_2403002A_207.exe
2560	cmd.exe
2560	cmd.exe

pid	process
2428	LisectAVT_2403002A_207.exe
2560	cmd.exe
2560	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LisectAVT_2403002A_207.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 2560	2428	LisectAVT_2403002A_207.exe	cmd.exe
PID 2428 wrote to memory of 2560	2428	LisectAVT_2403002A_207.exe	cmd.exe
PID 2428 wrote to memory of 2560	2428	LisectAVT_2403002A_207.exe	cmd.exe
PID 2428 wrote to memory of 2560	2428	LisectAVT_2403002A_207.exe	cmd.exe
PID 2560 wrote to memory of 3704	2560	cmd.exe	MSBuild.exe
PID 2560 wrote to memory of 3704	2560	cmd.exe	MSBuild.exe
PID 2560 wrote to memory of 3704	2560	cmd.exe	MSBuild.exe
PID 2560 wrote to memory of 3704	2560	cmd.exe	MSBuild.exe
PID 2560 wrote to memory of 3704	2560	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_207.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_207.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
3⤵
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e9a8e06
Filesize
1.3MB

MD5
cfceccc270835cd4f4363ec3150f014a

SHA1
eb8ca2641d44dd9d3d836152603b3a8e24863cc3

SHA256
64deca1d1216582e64f6d52b9981ff40b4d389453a6aa8cdd983c6ad59aacb36

SHA512
b4de11aba21a5452bf6b418b8ab502259c6e3240264e3726b807fa19e72a146a52dbb9e255dfaa6ef49671782c88624ad05ad3a964272f4cb652c06ac61c929f

Download Submit
memory/2428-10-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2428-11-0x00007FFF48FD0000-0x00007FFF491C5000-memory.dmp

Filesize
2.0MB

Download
memory/2428-13-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2428-12-0x0000000073F32000-0x0000000073F33000-memory.dmp

Filesize
4KB

Download
memory/2428-14-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2428-9-0x0000000000430000-0x000000000074A000-memory.dmp

Filesize
3.1MB

Download
memory/2560-18-0x00007FFF48FD0000-0x00007FFF491C5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-16-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-20-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-21-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-24-0x0000000073F20000-0x000000007409B000-memory.dmp

Filesize
1.5MB

Download
memory/3704-23-0x00007FFF28160000-0x00007FFF297D7000-memory.dmp

Filesize
22.5MB

Download
memory/3704-27-0x00007FFF27693000-0x00007FFF27695000-memory.dmp

Filesize
8KB

Download
memory/3704-28-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/3704-29-0x00000230E4BD0000-0x00000230E4CD2000-memory.dmp

Filesize
1.0MB

Download
memory/3704-30-0x00000230E4D30000-0x00000230E4D86000-memory.dmp

Filesize
344KB

Download
memory/3704-31-0x00000230E3270000-0x00000230E32BC000-memory.dmp

Filesize
304KB

Download
memory/3704-32-0x00007FFF27693000-0x00007FFF27695000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads