hijackloader | 318a4e426669f90ff9b6107f56f0ed47616d9da1335473c8f9f41073ca2d694d

General

Target

neroAacEnc.exe
Size

15.2MB
MD5

9bf782afcc591d031b253116ac34051b
SHA1

901764258a8f7322c9a4155f70e48e9676c7691e
SHA256

318a4e426669f90ff9b6107f56f0ed47616d9da1335473c8f9f41073ca2d694d
SHA512

dacc38e7d1fd9d60b6700ed5d28d2aa3283766157e84399f9e6b98161d399b32a8c8ea6846ec932b4c8a13e3690c7b2bc6db17d62f47d9ac22f74cf8dc59400c
SSDEEP

393216:Lwi3tIkSzBOms76P5jAkCQBIVO3JDps+ziMlbMhrC+lFaiNFjU7AWt:BtuOu5AFQ+0ps++MlAn61

Score

10^/10

hijackloader discovery loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000001484000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

696 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

neroAacEnc.exe

description pid process target process

PID 2112 set thread context of 696 2112 neroAacEnc.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

768 2256 WerFault.exe explorer.exe

pid	process
696	cmd.exe

description	pid	process	target process
PID 2112 set thread context of 696	2112	neroAacEnc.exe	cmd.exe

pid	pid_target	process	target process
768	2256	WerFault.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

neroAacEnc.execmd.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neroAacEnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

neroAacEnc.execmd.exe

pid process

2112 neroAacEnc.exe
2112 neroAacEnc.exe
696 cmd.exe
696 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

neroAacEnc.execmd.exe

pid process

2112 neroAacEnc.exe
696 cmd.exe

pid	process
2112	neroAacEnc.exe
2112	neroAacEnc.exe
696	cmd.exe
696	cmd.exe

pid	process
2112	neroAacEnc.exe
696	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

neroAacEnc.execmd.exeexplorer.exe

description	pid	process	target process
PID 2112 wrote to memory of 696	2112	neroAacEnc.exe	cmd.exe
PID 2112 wrote to memory of 696	2112	neroAacEnc.exe	cmd.exe
PID 2112 wrote to memory of 696	2112	neroAacEnc.exe	cmd.exe
PID 2112 wrote to memory of 696	2112	neroAacEnc.exe	cmd.exe
PID 2112 wrote to memory of 696	2112	neroAacEnc.exe	cmd.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe
PID 2256 wrote to memory of 768	2256	explorer.exe	WerFault.exe
PID 2256 wrote to memory of 768	2256	explorer.exe	WerFault.exe
PID 2256 wrote to memory of 768	2256	explorer.exe	WerFault.exe
PID 2256 wrote to memory of 768	2256	explorer.exe	WerFault.exe
PID 696 wrote to memory of 2256	696	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe
"C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 316
4⤵
- Program crash
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e6ad0f3

Filesize
14.6MB

MD5
602451e225694489d76333e0ac92c649

SHA1
392c162bd351c66b9b97ecdd710232ddc397f2d6

SHA256
1a8295e9997728600894c8f846f1f88a736a1d5c79b2313552fae815ff140909

SHA512
8d5b216795e583dc4d70b6460083f97cc843407f65ea8fae74ece7b73a21f9d535f872ef3ce4ba9462c39bf64d8499da75d8641dc6d33ecaae6257f0040a7777

Download Submit
memory/696-7-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/696-62-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/696-58-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/696-57-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/696-9-0x0000000077430000-0x00000000775D9000-memory.dmp

Filesize
1.7MB

Download
memory/2112-3-0x0000000074A42000-0x0000000074A44000-memory.dmp

Filesize
8KB

Download
memory/2112-5-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/2112-0-0x0000000000400000-0x0000000001484000-memory.dmp

Filesize
16.5MB

Download
memory/2112-4-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/2112-2-0x0000000077430000-0x00000000775D9000-memory.dmp

Filesize
1.7MB

Download
memory/2112-1-0x0000000074A30000-0x0000000074BA4000-memory.dmp

Filesize
1.5MB

Download
memory/2256-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-63-0x0000000000FD0000-0x0000000001DE1000-memory.dmp

Filesize
14.1MB

Download
memory/2256-64-0x0000000000FD0000-0x0000000001DE1000-memory.dmp

Filesize
14.1MB

Download
memory/2256-66-0x0000000000FD0000-0x0000000001DE1000-memory.dmp

Filesize
14.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads