Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 20:04
Behavioral task
behavioral1
Sample
neroAacEnc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
neroAacEnc.exe
Resource
win10v2004-20240709-en
General
-
Target
neroAacEnc.exe
-
Size
15.2MB
-
MD5
9bf782afcc591d031b253116ac34051b
-
SHA1
901764258a8f7322c9a4155f70e48e9676c7691e
-
SHA256
318a4e426669f90ff9b6107f56f0ed47616d9da1335473c8f9f41073ca2d694d
-
SHA512
dacc38e7d1fd9d60b6700ed5d28d2aa3283766157e84399f9e6b98161d399b32a8c8ea6846ec932b4c8a13e3690c7b2bc6db17d62f47d9ac22f74cf8dc59400c
-
SSDEEP
393216:Lwi3tIkSzBOms76P5jAkCQBIVO3JDps+ziMlbMhrC+lFaiNFjU7AWt:BtuOu5AFQ+0ps++MlAn61
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral1/memory/2112-0-0x0000000000400000-0x0000000001484000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Deletes itself 1 IoCs
pid Process 696 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 696 2112 neroAacEnc.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 768 2256 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neroAacEnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2112 neroAacEnc.exe 2112 neroAacEnc.exe 696 cmd.exe 696 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2112 neroAacEnc.exe 696 cmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2112 wrote to memory of 696 2112 neroAacEnc.exe 31 PID 2112 wrote to memory of 696 2112 neroAacEnc.exe 31 PID 2112 wrote to memory of 696 2112 neroAacEnc.exe 31 PID 2112 wrote to memory of 696 2112 neroAacEnc.exe 31 PID 2112 wrote to memory of 696 2112 neroAacEnc.exe 31 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 696 wrote to memory of 2256 696 cmd.exe 34 PID 2256 wrote to memory of 768 2256 explorer.exe 35 PID 2256 wrote to memory of 768 2256 explorer.exe 35 PID 2256 wrote to memory of 768 2256 explorer.exe 35 PID 2256 wrote to memory of 768 2256 explorer.exe 35 PID 696 wrote to memory of 2256 696 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe"C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 3164⤵
- Program crash
PID:768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.6MB
MD5602451e225694489d76333e0ac92c649
SHA1392c162bd351c66b9b97ecdd710232ddc397f2d6
SHA2561a8295e9997728600894c8f846f1f88a736a1d5c79b2313552fae815ff140909
SHA5128d5b216795e583dc4d70b6460083f97cc843407f65ea8fae74ece7b73a21f9d535f872ef3ce4ba9462c39bf64d8499da75d8641dc6d33ecaae6257f0040a7777