Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 20:04
Behavioral task
behavioral1
Sample
neroAacEnc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
neroAacEnc.exe
Resource
win10v2004-20240709-en
General
-
Target
neroAacEnc.exe
-
Size
15.2MB
-
MD5
9bf782afcc591d031b253116ac34051b
-
SHA1
901764258a8f7322c9a4155f70e48e9676c7691e
-
SHA256
318a4e426669f90ff9b6107f56f0ed47616d9da1335473c8f9f41073ca2d694d
-
SHA512
dacc38e7d1fd9d60b6700ed5d28d2aa3283766157e84399f9e6b98161d399b32a8c8ea6846ec932b4c8a13e3690c7b2bc6db17d62f47d9ac22f74cf8dc59400c
-
SSDEEP
393216:Lwi3tIkSzBOms76P5jAkCQBIVO3JDps+ziMlbMhrC+lFaiNFjU7AWt:BtuOu5AFQ+0ps++MlAn61
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/memory/1544-0-0x0000000000400000-0x0000000001484000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 792 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\0BB94212\ImagePath = "C:\\Windows\\SysWOW64\\explorer.exe" explorer.exe -
Deletes itself 1 IoCs
pid Process 3352 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl explorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin explorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 3352 1544 neroAacEnc.exe 88 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neroAacEnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz explorer.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor explorer.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 explorer.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString explorer.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded = "1" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{470C0EBD-5D73-4D58-9CED-E91E22E23282} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c135975360e0da01 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007d5c9c5360e0da01 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d420200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000d159fb5360e0da01 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1544 neroAacEnc.exe 1544 neroAacEnc.exe 3352 cmd.exe 3352 cmd.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 792 powershell.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 792 powershell.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe 4836 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1544 neroAacEnc.exe 3352 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 792 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1544 wrote to memory of 3352 1544 neroAacEnc.exe 88 PID 1544 wrote to memory of 3352 1544 neroAacEnc.exe 88 PID 1544 wrote to memory of 3352 1544 neroAacEnc.exe 88 PID 1544 wrote to memory of 3352 1544 neroAacEnc.exe 88 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 3352 wrote to memory of 4836 3352 cmd.exe 100 PID 4836 wrote to memory of 792 4836 explorer.exe 105 PID 4836 wrote to memory of 792 4836 explorer.exe 105 PID 4836 wrote to memory of 792 4836 explorer.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe"C:\Users\Admin\AppData\Local\Temp\neroAacEnc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Sets service image path in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Windows\SysWOW64\explorer.exe4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:3304
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.6MB
MD561aa8acf927cbad9f4ca0acd6292a3ba
SHA1c3b35f5ac2b84feb6a9dea742b26580bef92ccb0
SHA256b19eba3e540bdb64f4f751153d21ce767e405f210689591636ecd3ed2c90206f
SHA512d981110333fa531be5aa134769607ef58987bafab92a8dd755d130ef8af1603302d49a9c816e75e600d1ffc1284f07f2d79fda02fb3a608ba3df0db6a8cd28fd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82