hijackloader | 68395be6acccbc33328eeb307f5fe190da71f801fcd6d9aa5b3536b9723bceb6

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s.exe
Size

82.5MB
MD5

186c20868ce52b64dd05765b1a2396bb
SHA1

77103141eb9dfc1902a0aded50969c888635446b
SHA256

68395be6acccbc33328eeb307f5fe190da71f801fcd6d9aa5b3536b9723bceb6
SHA512

1f1a68ab9b21067cb00ff216ecf6620f14e329774379b295b9b1e34eca81db434166212f343930a1ccb38998a9da924853462bb93a6d267bfcc52aa068413eb4
SSDEEP

196608:9JoeoSVFaTNmgcyGHfZ3BVg+QvHsoL8Ijq:3oeoUaTNJdG/dg+QvMoLzm

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2420-0-0x0000000000400000-0x00000000013EB000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 3672 created 2600 3672 explorer.exe sihost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

5052 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

DPMHelper.exeDPMHelper.exe

pid process

684 DPMHelper.exe
1700 DPMHelper.exe

description	pid	process	target process
PID 3672 created 2600	3672	explorer.exe	sihost.exe

pid	process
5052	cmd.exe

Loads dropped DLL 19 IoCs

Processes:

DPMHelper.exeDPMHelper.exe

pid	process
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
684	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DPMHelper.exe

description pid process target process

PID 1700 set thread context of 5052 1700 DPMHelper.exe cmd.exe

description	pid	process	target process
PID 1700 set thread context of 5052	1700	DPMHelper.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DPMHelper.exeDPMHelper.execmd.exeexplorer.exedialer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPMHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPMHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

s.exeDPMHelper.exeDPMHelper.execmd.exeexplorer.exedialer.exe

pid	process
2420	s.exe
2420	s.exe
684	DPMHelper.exe
1700	DPMHelper.exe
1700	DPMHelper.exe
5052	cmd.exe
5052	cmd.exe
3672	explorer.exe
3672	explorer.exe
1164	dialer.exe
1164	dialer.exe
1164	dialer.exe
1164	dialer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DPMHelper.execmd.exe

pid process

1700 DPMHelper.exe
5052 cmd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

s.exe

pid process

2420 s.exe

pid	process
1700	DPMHelper.exe
5052	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

s.exeDPMHelper.exeDPMHelper.execmd.exeexplorer.exe

description	pid	process	target process
PID 2420 wrote to memory of 684	2420	s.exe	DPMHelper.exe
PID 2420 wrote to memory of 684	2420	s.exe	DPMHelper.exe
PID 2420 wrote to memory of 684	2420	s.exe	DPMHelper.exe
PID 684 wrote to memory of 1700	684	DPMHelper.exe	DPMHelper.exe
PID 684 wrote to memory of 1700	684	DPMHelper.exe	DPMHelper.exe
PID 684 wrote to memory of 1700	684	DPMHelper.exe	DPMHelper.exe
PID 1700 wrote to memory of 5052	1700	DPMHelper.exe	cmd.exe
PID 1700 wrote to memory of 5052	1700	DPMHelper.exe	cmd.exe
PID 1700 wrote to memory of 5052	1700	DPMHelper.exe	cmd.exe
PID 1700 wrote to memory of 5052	1700	DPMHelper.exe	cmd.exe
PID 5052 wrote to memory of 3672	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 3672	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 3672	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 3672	5052	cmd.exe	explorer.exe
PID 3672 wrote to memory of 1164	3672	explorer.exe	dialer.exe
PID 3672 wrote to memory of 1164	3672	explorer.exe	dialer.exe
PID 3672 wrote to memory of 1164	3672	explorer.exe	dialer.exe
PID 3672 wrote to memory of 1164	3672	explorer.exe	dialer.exe
PID 3672 wrote to memory of 1164	3672	explorer.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2600

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exe
C:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f6dce57

Filesize
1.0MB

MD5
cd7168df86dae6046668d831c9e42422

SHA1
b25463fead6e7af490e394ffdca93a11b28b54f5

SHA256
1312255220b6105c4cd0e88997a310e6fc25454dae9ec1ce60706224ec3897eb

SHA512
1849407bf330d03ad398a3a7ac6cbabc298f0cb83f9eba2e2900e2b105f918fa788cd144097043c2cc0c3efcfbb3f5bcb0b8c0978ece931496dd9c2dffe610d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe

Filesize
2.3MB

MD5
5d52ef45b6e5bf144307a84c2af1581b

SHA1
414a899ec327d4a9daa53983544245b209f25142

SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\decorator.xml

Filesize
65KB

MD5
d8b0d041fbb7cd0e878a5eb737dcaa03

SHA1
190c5114e8893362af2c01027b0e6e8b2437416b

SHA256
8a104a1f1ee47bc5331732b34c21b2e025eea1314a1772ac01b3a5a1076465a1

SHA512
3758a4a8b62eea9b7a1a0dbf1e8a137a06c061213123fabbb21d95545b98e4aa7366fbe927c6c6732fd5269ecaf2a9f80e9f16afef87d0f8cb5392e0ce8bddda

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\gangrel.mdb

Filesize
945KB

MD5
2b0403cb1af4c3285deafbf3f72fd608

SHA1
c17f0cd037a51d14c2a0c3a19914bdafcdb78a16

SHA256
1a8d5a60eeebe51fcb006ceb65a39db5fbc6c31124f954b8e2cc29e588247171

SHA512
d450fb3f13cf48566f05e73c529f5d42be66712febc96ec939bd3272e7f5f9e0a5954d898ffce81d90d45f4906feed4b9a43cec5517b983a3ca435323574e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\madbasic_.bpl

Filesize
210KB

MD5
e03a0056e75d3a5707ba199bc2ea701f

SHA1
bf40ab316e65eb17a58e70a3f0ca8426f44f5bef

SHA256
7826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb

SHA512
b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\maddisAsm_.bpl

Filesize
63KB

MD5
ef3b47b2ea3884914c13c778ff29eb5b

SHA1
dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0

SHA256
475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87

SHA512
9648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\madexcept_.bpl

Filesize
436KB

MD5
98e59596edd9b888d906c5409e515803

SHA1
b79d73967a2df21d00740bc77ccebda061b44ab6

SHA256
a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0

SHA512
ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\rtl120.bpl

Filesize
1.1MB

MD5
1681f93e11a7ed23612a55bcef7f1023

SHA1
9b378bbdb287ebd7596944bce36b6156caa9ff7d

SHA256
7ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef

SHA512
726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\vcl120.bpl

Filesize
1.9MB

MD5
69121901517af9636019d37b9a93cc55

SHA1
42e39d1d7803221f28a05dccbbc519e33d164c96

SHA256
5bf3a1e1148684c8e9c2f767e6c1535e233cc1548ff347f0652c03d140060004

SHA512
76dc7588c444f79859a0c325d630dd0d2a996be78fc2e528e37aa82ea7b1568e1edae53310983622069e69ff32606715227d76d4248768110d37a00317329b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\vclx120.bpl

Filesize
222KB

MD5
3cb8f7606940c9b51c45ebaeb84af728

SHA1
7f33a8b5f8f7210bd93b330c5e27a1e70b22f57b

SHA256
2feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053

SHA512
7559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f

Download Submit
memory/684-60-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/684-61-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/684-44-0x00000000748A0000-0x0000000074A1B000-memory.dmp

Filesize
1.5MB

Download
memory/684-45-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/684-58-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/684-63-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/684-62-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/684-57-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/684-59-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1164-115-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/1164-117-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/1164-114-0x0000000002C70000-0x0000000003070000-memory.dmp

Filesize
4.0MB

Download
memory/1164-110-0x00000000010B0000-0x00000000010B9000-memory.dmp

Filesize
36KB

Download
memory/1700-91-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1700-94-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1700-84-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/1700-83-0x00000000748A0000-0x0000000074A1B000-memory.dmp

Filesize
1.5MB

Download
memory/1700-89-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1700-87-0x00000000748A0000-0x0000000074A1B000-memory.dmp

Filesize
1.5MB

Download
memory/1700-90-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1700-92-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1700-95-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2420-1-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2420-0-0x0000000000400000-0x00000000013EB000-memory.dmp

Filesize
15.9MB

Download
memory/2420-23-0x00007FF9058A0000-0x00007FF905A12000-memory.dmp

Filesize
1.4MB

Download
memory/2420-85-0x00007FF9058A0000-0x00007FF905A12000-memory.dmp

Filesize
1.4MB

Download
memory/2420-14-0x00007FF9058A0000-0x00007FF905A12000-memory.dmp

Filesize
1.4MB

Download
memory/2420-4-0x00007FF9058A0000-0x00007FF905A12000-memory.dmp

Filesize
1.4MB

Download
memory/2420-7-0x00007FF9058B8000-0x00007FF9058B9000-memory.dmp

Filesize
4KB

Download
memory/2420-2-0x00007FF9058A0000-0x00007FF905A12000-memory.dmp

Filesize
1.4MB

Download
memory/3672-105-0x0000000003FD0000-0x00000000043D0000-memory.dmp

Filesize
4.0MB

Download
memory/3672-104-0x00000000008A0000-0x000000000090F000-memory.dmp

Filesize
444KB

Download
memory/3672-102-0x00000000008A0000-0x000000000090F000-memory.dmp

Filesize
444KB

Download
memory/3672-106-0x0000000003FD0000-0x00000000043D0000-memory.dmp

Filesize
4.0MB

Download
memory/3672-109-0x0000000075530000-0x0000000075745000-memory.dmp

Filesize
2.1MB

Download
memory/3672-101-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download
memory/3672-112-0x00000000008A0000-0x000000000090F000-memory.dmp

Filesize
444KB

Download
memory/3672-100-0x00000000008A0000-0x000000000090F000-memory.dmp

Filesize
444KB

Download
memory/5052-98-0x00000000748A0000-0x0000000074A1B000-memory.dmp

Filesize
1.5MB

Download
memory/5052-97-0x00007FF923270000-0x00007FF923465000-memory.dmp

Filesize
2.0MB

Download