hijackloader | 68395be6acccbc33328eeb307f5fe190da71f801fcd6d9aa5b3536b9723bceb6

Analysis

max time kernel
53s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s.exe
Size

82.5MB
MD5

186c20868ce52b64dd05765b1a2396bb
SHA1

77103141eb9dfc1902a0aded50969c888635446b
SHA256

68395be6acccbc33328eeb307f5fe190da71f801fcd6d9aa5b3536b9723bceb6
SHA512

1f1a68ab9b21067cb00ff216ecf6620f14e329774379b295b9b1e34eca81db434166212f343930a1ccb38998a9da924853462bb93a6d267bfcc52aa068413eb4
SSDEEP

196608:9JoeoSVFaTNmgcyGHfZ3BVg+QvHsoL8Ijq:3oeoUaTNJdG/dg+QvMoLzm

Score

10^/10

hijackloader discovery loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000400000-0x00000000013EB000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1964	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

DPMHelper.exeDPMHelper.exe

pid	Process
2796	DPMHelper.exe
2876	DPMHelper.exe

Loads dropped DLL 13 IoCs

Processes:

DPMHelper.exeDPMHelper.exe

pid	Process
2796	DPMHelper.exe
2796	DPMHelper.exe
2796	DPMHelper.exe
2796	DPMHelper.exe
2796	DPMHelper.exe
2796	DPMHelper.exe
2796	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DPMHelper.exe

description	pid	Process	procid_target
PID 2876 set thread context of 1964	2876	DPMHelper.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeexplorer.exeDPMHelper.exeDPMHelper.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPMHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPMHelper.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

s.exeDPMHelper.exeDPMHelper.execmd.exe

pid	Process
1924	s.exe
1924	s.exe
2796	DPMHelper.exe
2876	DPMHelper.exe
2876	DPMHelper.exe
1964	cmd.exe
1964	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DPMHelper.execmd.exe

pid	Process
2876	DPMHelper.exe
1964	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

s.exe

pid	Process
1924	s.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

s.exeDPMHelper.exeDPMHelper.execmd.exe

description	pid	Process	procid_target
PID 1924 wrote to memory of 2796	1924	s.exe	30
PID 1924 wrote to memory of 2796	1924	s.exe	30
PID 1924 wrote to memory of 2796	1924	s.exe	30
PID 1924 wrote to memory of 2796	1924	s.exe	30
PID 2796 wrote to memory of 2876	2796	DPMHelper.exe	31
PID 2796 wrote to memory of 2876	2796	DPMHelper.exe	31
PID 2796 wrote to memory of 2876	2796	DPMHelper.exe	31
PID 2796 wrote to memory of 2876	2796	DPMHelper.exe	31
PID 2876 wrote to memory of 1964	2876	DPMHelper.exe	32
PID 2876 wrote to memory of 1964	2876	DPMHelper.exe	32
PID 2876 wrote to memory of 1964	2876	DPMHelper.exe	32
PID 2876 wrote to memory of 1964	2876	DPMHelper.exe	32
PID 2876 wrote to memory of 1964	2876	DPMHelper.exe	32
PID 1964 wrote to memory of 1536	1964	cmd.exe	34
PID 1964 wrote to memory of 1536	1964	cmd.exe	34
PID 1964 wrote to memory of 1536	1964	cmd.exe	34
PID 1964 wrote to memory of 1536	1964	cmd.exe	34
PID 1964 wrote to memory of 1536	1964	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe
  C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exe
    C:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27b48f80

Filesize
1.0MB

MD5
6ebb4e59104eafbb5a7d63a6b6b533f1

SHA1
94fcaeebfe903340475352e919b3cc1e2d2b1ed9

SHA256
157d3dfb0f4de0de5eb579d836f4f0d60316fb73af5e35c8de71c449cd1e20a2

SHA512
426e17bb076f74c2484493865ba88bc37d2dee5e166d707089c95de72fda7f3d72af91ee5ca9b8da4ae004dc22c10d44efffad474291901c61f4f91997dcc615

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe

Filesize
2.3MB

MD5
5d52ef45b6e5bf144307a84c2af1581b

SHA1
414a899ec327d4a9daa53983544245b209f25142

SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\decorator.xml

Filesize
65KB

MD5
d8b0d041fbb7cd0e878a5eb737dcaa03

SHA1
190c5114e8893362af2c01027b0e6e8b2437416b

SHA256
8a104a1f1ee47bc5331732b34c21b2e025eea1314a1772ac01b3a5a1076465a1

SHA512
3758a4a8b62eea9b7a1a0dbf1e8a137a06c061213123fabbb21d95545b98e4aa7366fbe927c6c6732fd5269ecaf2a9f80e9f16afef87d0f8cb5392e0ce8bddda

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\gangrel.mdb

Filesize
945KB

MD5
2b0403cb1af4c3285deafbf3f72fd608

SHA1
c17f0cd037a51d14c2a0c3a19914bdafcdb78a16

SHA256
1a8d5a60eeebe51fcb006ceb65a39db5fbc6c31124f954b8e2cc29e588247171

SHA512
d450fb3f13cf48566f05e73c529f5d42be66712febc96ec939bd3272e7f5f9e0a5954d898ffce81d90d45f4906feed4b9a43cec5517b983a3ca435323574e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\madBasic_.bpl

Filesize
210KB

MD5
e03a0056e75d3a5707ba199bc2ea701f

SHA1
bf40ab316e65eb17a58e70a3f0ca8426f44f5bef

SHA256
7826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb

SHA512
b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\madDisAsm_.bpl

Filesize
63KB

MD5
ef3b47b2ea3884914c13c778ff29eb5b

SHA1
dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0

SHA256
475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87

SHA512
9648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\madExcept_.bpl

Filesize
436KB

MD5
98e59596edd9b888d906c5409e515803

SHA1
b79d73967a2df21d00740bc77ccebda061b44ab6

SHA256
a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0

SHA512
ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\rtl120.bpl

Filesize
1.1MB

MD5
1681f93e11a7ed23612a55bcef7f1023

SHA1
9b378bbdb287ebd7596944bce36b6156caa9ff7d

SHA256
7ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef

SHA512
726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\vcl120.bpl

Filesize
1.9MB

MD5
69121901517af9636019d37b9a93cc55

SHA1
42e39d1d7803221f28a05dccbbc519e33d164c96

SHA256
5bf3a1e1148684c8e9c2f767e6c1535e233cc1548ff347f0652c03d140060004

SHA512
76dc7588c444f79859a0c325d630dd0d2a996be78fc2e528e37aa82ea7b1568e1edae53310983622069e69ff32606715227d76d4248768110d37a00317329b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\vclx120.bpl

Filesize
222KB

MD5
3cb8f7606940c9b51c45ebaeb84af728

SHA1
7f33a8b5f8f7210bd93b330c5e27a1e70b22f57b

SHA256
2feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053

SHA512
7559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f

Download Submit
memory/1536-99-0x00000000000C0000-0x000000000012F000-memory.dmp

Filesize
444KB

Download
memory/1536-95-0x00000000000C0000-0x000000000012F000-memory.dmp

Filesize
444KB

Download
memory/1536-96-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/1536-97-0x00000000000C0000-0x000000000012F000-memory.dmp

Filesize
444KB

Download
memory/1924-8-0x000007FEFA950000-0x000007FEFAAA8000-memory.dmp

Filesize
1.3MB

Download
memory/1924-2-0x000007FEFA950000-0x000007FEFAAA8000-memory.dmp

Filesize
1.3MB

Download
memory/1924-4-0x000007FEFA950000-0x000007FEFAAA8000-memory.dmp

Filesize
1.3MB

Download
memory/1924-80-0x000007FEFA950000-0x000007FEFAAA8000-memory.dmp

Filesize
1.3MB

Download
memory/1924-7-0x000007FEFA968000-0x000007FEFA969000-memory.dmp

Filesize
4KB

Download
memory/1924-23-0x000007FEFA950000-0x000007FEFAAA8000-memory.dmp

Filesize
1.3MB

Download
memory/1924-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1924-0-0x0000000000400000-0x00000000013EB000-memory.dmp

Filesize
15.9MB

Download
memory/1964-93-0x0000000074160000-0x00000000742D4000-memory.dmp

Filesize
1.5MB

Download
memory/1964-92-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/2796-63-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2796-59-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2796-41-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/2796-56-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/2796-42-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/2796-62-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2796-64-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2796-60-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2796-58-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2876-82-0x0000000074160000-0x00000000742D4000-memory.dmp

Filesize
1.5MB

Download
memory/2876-86-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2876-85-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2876-87-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2876-88-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2876-90-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2876-79-0x0000000076CE0000-0x0000000076E89000-memory.dmp

Filesize
1.7MB

Download
memory/2876-84-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/2876-78-0x0000000074160000-0x00000000742D4000-memory.dmp

Filesize
1.5MB

Download