hijackloader | 9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe
Size

2.3MB
MD5

e585f3a248e9df2acd69bd1ccab87933
SHA1

63d8b10e143b1189cbd39a97866ada23ed0515e7
SHA256

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7
SHA512

c8dd113c0981f999fc23a63eadd2f8b3f3921b6a565479f2a2f1600d2fb7495a8288303d8eb6e7e3b28c4687242f8856a37c39a9da90accde8a1e4d018e244ee
SSDEEP

49152:KJfe3owTB0iX39aF7VnwFmvS/5pvXTOyPC3j5gMYKuQ7CzS3vv3jirr3jjWiTaOw:KNe3owTB0iX3gFtwFmvS/3PTNaTbuVz7

Score

10^/10

hijackloader discovery evasion loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2564-11-0x0000000000EE0000-0x0000000001164000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine	9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

pid process

2564 9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

pid	process
2564	9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe

C:\Users\Admin\AppData\Local\Temp\9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe
"C:\Users\Admin\AppData\Local\Temp\9e4130379c0d965fd6ef2fba7e400258c84d063b9b73508b54e954d9a9fedea7.exe"
1⤵
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-11-0x0000000000EE0000-0x0000000001164000-memory.dmp

Filesize
2.5MB

Download
memory/2564-12-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download