hijackloader | 9c760353cd7593ae5b5bdd79405a16568b2b7cb68fd7ad7cc5863b69a105a62d

General

Target

updateload2.exe
Size

4.1MB
MD5

f284c82401fcbac1bdde4b71a0af9798
SHA1

c9390dc649d0f9e25339f87d7d5a59f58cd6b7df
SHA256

9c760353cd7593ae5b5bdd79405a16568b2b7cb68fd7ad7cc5863b69a105a62d
SHA512

b2b5564ec6012a04eff51349ddea2b7fab79599a46fae41376343d25f14d39329a525faad61513de7e93dd5d49c50dc5c7ed8a1022a33ba424f6c6dd99154366
SSDEEP

98304:BiaVRBZ1vtleQ0TrFbpKyXTp/8zf8R9Mr4/Eof:B9Vt/eQiqyN/8zUs6d

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/4932-0-0x00000000002E0000-0x0000000000459000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4640 created 2804	4640	explorer.exe	50

Deletes itself 1 IoCs

pid	Process
4812	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 4812	4932	updateload2.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updateload2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4932	updateload2.exe
4932	updateload2.exe
4812	cmd.exe
4812	cmd.exe
4640	explorer.exe
4640	explorer.exe
1952	openwith.exe
1952	openwith.exe
1952	openwith.exe
1952	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4932	updateload2.exe
4812	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4812	4932	updateload2.exe	86
PID 4932 wrote to memory of 4812	4932	updateload2.exe	86
PID 4932 wrote to memory of 4812	4932	updateload2.exe	86
PID 4932 wrote to memory of 4812	4932	updateload2.exe	86
PID 4812 wrote to memory of 4640	4812	cmd.exe	88
PID 4812 wrote to memory of 4640	4812	cmd.exe	88
PID 4812 wrote to memory of 4640	4812	cmd.exe	88
PID 4812 wrote to memory of 4640	4812	cmd.exe	88
PID 4640 wrote to memory of 1952	4640	explorer.exe	92
PID 4640 wrote to memory of 1952	4640	explorer.exe	92
PID 4640 wrote to memory of 1952	4640	explorer.exe	92
PID 4640 wrote to memory of 1952	4640	explorer.exe	92
PID 4640 wrote to memory of 1952	4640	explorer.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2804
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

C:\Users\Admin\AppData\Local\Temp\updateload2.exe
"C:\Users\Admin\AppData\Local\Temp\updateload2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e7fa4cb2

Filesize
1.1MB

MD5
1b9a0965e12c85a7593d40e6c1bfb664

SHA1
ce2a2d9fd338196c9e818ec91b77be6dcd6df19d

SHA256
aa75298aa2e2ee055d35286ed0e60866a786091d6e3ae590ff91e172deb7c072

SHA512
817602146d2df54cb3b8f060493ce16eef35e82d84dda0ad7d656b1d83e99baa5cffc3ad0dd1bf2cd3ecd83a4cdf82c9185315da80ad4d8723dc61812cf415de

Download Submit
memory/1952-28-0x00007FFCC22D0000-0x00007FFCC24C5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-33-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/1952-30-0x0000000075820000-0x0000000075A35000-memory.dmp

Filesize
2.1MB

Download
memory/1952-27-0x0000000002840000-0x0000000002C40000-memory.dmp

Filesize
4.0MB

Download
memory/1952-25-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/4640-24-0x0000000000E70000-0x00000000012A3000-memory.dmp

Filesize
4.2MB

Download
memory/4640-23-0x0000000075820000-0x0000000075A35000-memory.dmp

Filesize
2.1MB

Download
memory/4640-32-0x0000000000780000-0x0000000000800000-memory.dmp

Filesize
512KB

Download
memory/4640-20-0x0000000003E20000-0x0000000004220000-memory.dmp

Filesize
4.0MB

Download
memory/4640-19-0x0000000003E20000-0x0000000004220000-memory.dmp

Filesize
4.0MB

Download
memory/4640-18-0x0000000000F53000-0x0000000000F5B000-memory.dmp

Filesize
32KB

Download
memory/4640-14-0x0000000000780000-0x0000000000800000-memory.dmp

Filesize
512KB

Download
memory/4640-15-0x00007FFCC22D0000-0x00007FFCC24C5000-memory.dmp

Filesize
2.0MB

Download
memory/4640-16-0x0000000000780000-0x0000000000800000-memory.dmp

Filesize
512KB

Download
memory/4812-13-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-11-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-10-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-7-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4812-9-0x00007FFCC22D0000-0x00007FFCC24C5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-0-0x00000000002E0000-0x0000000000459000-memory.dmp

Filesize
1.5MB

Download
memory/4932-5-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4932-4-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download
memory/4932-3-0x0000000073F03000-0x0000000073F05000-memory.dmp

Filesize
8KB

Download
memory/4932-2-0x00007FFCC22D0000-0x00007FFCC24C5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-1-0x0000000073EF0000-0x000000007406B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing