Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 13:06
Behavioral task
behavioral1
Sample
s.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
s.exe
Resource
win10v2004-20240802-en
General
-
Target
s.exe
-
Size
82.5MB
-
MD5
186c20868ce52b64dd05765b1a2396bb
-
SHA1
77103141eb9dfc1902a0aded50969c888635446b
-
SHA256
68395be6acccbc33328eeb307f5fe190da71f801fcd6d9aa5b3536b9723bceb6
-
SHA512
1f1a68ab9b21067cb00ff216ecf6620f14e329774379b295b9b1e34eca81db434166212f343930a1ccb38998a9da924853462bb93a6d267bfcc52aa068413eb4
-
SSDEEP
196608:9JoeoSVFaTNmgcyGHfZ3BVg+QvHsoL8Ijq:3oeoUaTNJdG/dg+QvMoLzm
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2420-0-0x0000000000400000-0x00000000013EB000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
explorer.exedescription pid Process procid_target PID 3672 created 2600 3672 explorer.exe 44 -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 5052 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
DPMHelper.exeDPMHelper.exepid Process 684 DPMHelper.exe 1700 DPMHelper.exe -
Loads dropped DLL 19 IoCs
Processes:
DPMHelper.exeDPMHelper.exepid Process 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 684 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DPMHelper.exedescription pid Process procid_target PID 1700 set thread context of 5052 1700 DPMHelper.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
DPMHelper.exeDPMHelper.execmd.exeexplorer.exedialer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
s.exeDPMHelper.exeDPMHelper.execmd.exeexplorer.exedialer.exepid Process 2420 s.exe 2420 s.exe 684 DPMHelper.exe 1700 DPMHelper.exe 1700 DPMHelper.exe 5052 cmd.exe 5052 cmd.exe 3672 explorer.exe 3672 explorer.exe 1164 dialer.exe 1164 dialer.exe 1164 dialer.exe 1164 dialer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
DPMHelper.execmd.exepid Process 1700 DPMHelper.exe 5052 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
s.exepid Process 2420 s.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
s.exeDPMHelper.exeDPMHelper.execmd.exeexplorer.exedescription pid Process procid_target PID 2420 wrote to memory of 684 2420 s.exe 86 PID 2420 wrote to memory of 684 2420 s.exe 86 PID 2420 wrote to memory of 684 2420 s.exe 86 PID 684 wrote to memory of 1700 684 DPMHelper.exe 87 PID 684 wrote to memory of 1700 684 DPMHelper.exe 87 PID 684 wrote to memory of 1700 684 DPMHelper.exe 87 PID 1700 wrote to memory of 5052 1700 DPMHelper.exe 88 PID 1700 wrote to memory of 5052 1700 DPMHelper.exe 88 PID 1700 wrote to memory of 5052 1700 DPMHelper.exe 88 PID 1700 wrote to memory of 5052 1700 DPMHelper.exe 88 PID 5052 wrote to memory of 3672 5052 cmd.exe 90 PID 5052 wrote to memory of 3672 5052 cmd.exe 90 PID 5052 wrote to memory of 3672 5052 cmd.exe 90 PID 5052 wrote to memory of 3672 5052 cmd.exe 90 PID 3672 wrote to memory of 1164 3672 explorer.exe 94 PID 3672 wrote to memory of 1164 3672 explorer.exe 94 PID 3672 wrote to memory of 1164 3672 explorer.exe 94 PID 3672 wrote to memory of 1164 3672 explorer.exe 94 PID 3672 wrote to memory of 1164 3672 explorer.exe 94
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2600
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exeC:\Users\Admin\AppData\Local\Temp\protectsecure_v3\DPMHelper.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exeC:\Users\Admin\AppData\Roaming\protectsecure_v3\DPMHelper.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5cd7168df86dae6046668d831c9e42422
SHA1b25463fead6e7af490e394ffdca93a11b28b54f5
SHA2561312255220b6105c4cd0e88997a310e6fc25454dae9ec1ce60706224ec3897eb
SHA5121849407bf330d03ad398a3a7ac6cbabc298f0cb83f9eba2e2900e2b105f918fa788cd144097043c2cc0c3efcfbb3f5bcb0b8c0978ece931496dd9c2dffe610d0
-
Filesize
2.3MB
MD55d52ef45b6e5bf144307a84c2af1581b
SHA1414a899ec327d4a9daa53983544245b209f25142
SHA25626a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
Filesize
65KB
MD5d8b0d041fbb7cd0e878a5eb737dcaa03
SHA1190c5114e8893362af2c01027b0e6e8b2437416b
SHA2568a104a1f1ee47bc5331732b34c21b2e025eea1314a1772ac01b3a5a1076465a1
SHA5123758a4a8b62eea9b7a1a0dbf1e8a137a06c061213123fabbb21d95545b98e4aa7366fbe927c6c6732fd5269ecaf2a9f80e9f16afef87d0f8cb5392e0ce8bddda
-
Filesize
945KB
MD52b0403cb1af4c3285deafbf3f72fd608
SHA1c17f0cd037a51d14c2a0c3a19914bdafcdb78a16
SHA2561a8d5a60eeebe51fcb006ceb65a39db5fbc6c31124f954b8e2cc29e588247171
SHA512d450fb3f13cf48566f05e73c529f5d42be66712febc96ec939bd3272e7f5f9e0a5954d898ffce81d90d45f4906feed4b9a43cec5517b983a3ca435323574e647
-
Filesize
210KB
MD5e03a0056e75d3a5707ba199bc2ea701f
SHA1bf40ab316e65eb17a58e70a3f0ca8426f44f5bef
SHA2567826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb
SHA512b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a
-
Filesize
63KB
MD5ef3b47b2ea3884914c13c778ff29eb5b
SHA1dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0
SHA256475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87
SHA5129648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e
-
Filesize
436KB
MD598e59596edd9b888d906c5409e515803
SHA1b79d73967a2df21d00740bc77ccebda061b44ab6
SHA256a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0
SHA512ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42
-
Filesize
1.1MB
MD51681f93e11a7ed23612a55bcef7f1023
SHA19b378bbdb287ebd7596944bce36b6156caa9ff7d
SHA2567ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef
SHA512726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93
-
Filesize
1.9MB
MD569121901517af9636019d37b9a93cc55
SHA142e39d1d7803221f28a05dccbbc519e33d164c96
SHA2565bf3a1e1148684c8e9c2f767e6c1535e233cc1548ff347f0652c03d140060004
SHA51276dc7588c444f79859a0c325d630dd0d2a996be78fc2e528e37aa82ea7b1568e1edae53310983622069e69ff32606715227d76d4248768110d37a00317329b93
-
Filesize
222KB
MD53cb8f7606940c9b51c45ebaeb84af728
SHA17f33a8b5f8f7210bd93b330c5e27a1e70b22f57b
SHA2562feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053
SHA5127559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f