Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2024 21:04
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
123.exe
Resource
win10v2004-20240802-en
General
-
Target
123.exe
-
Size
8.2MB
-
MD5
f675e62581b09ecb840416233c8460bc
-
SHA1
b7a42ed4a3f13d13905d910f02147d8bdc040b2b
-
SHA256
b4fed30b7d5c533ae1a553607630badbdc10aeacb612ff996e919d014bc2313c
-
SHA512
3bebe82737757c606356cab8877aa7ece5304f7eebbff1695bc4f20502e981d9ce4551ad3492f7c5580bd06d94cd63cd70a8706d24e73ae52e55e38f0f9b9a8a
-
SSDEEP
196608:ZEI9eJx7jQ/b7NuD4VuRS79tcM6vJKjJQQcrgUEr0NFMx3BWhp6D:ZEI9eXQ/b7NuD4VuRS79tczvJJQcrPEL
Malware Config
Extracted
stealc
benjiworld9
http://5.188.86.71
-
url_path
/05feb00efef399f8.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/memory/5056-1-0x0000000000400000-0x0000000000C48000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Deletes itself 1 IoCs
pid Process 1476 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5056 set thread context of 1476 5056 123.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5056 123.exe 5056 123.exe 5056 123.exe 5056 123.exe 1476 cmd.exe 1476 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5056 123.exe 1476 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5056 wrote to memory of 1476 5056 123.exe 83 PID 5056 wrote to memory of 1476 5056 123.exe 83 PID 5056 wrote to memory of 1476 5056 123.exe 83 PID 5056 wrote to memory of 1476 5056 123.exe 83 PID 1476 wrote to memory of 1920 1476 cmd.exe 92 PID 1476 wrote to memory of 1920 1476 cmd.exe 92 PID 1476 wrote to memory of 1920 1476 cmd.exe 92 PID 1476 wrote to memory of 1920 1476 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1920
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
909KB
MD50dadc961ffd455eaf2545c2e529d0b36
SHA1dd7d6de275988985b495eb283d53274014c78ad9
SHA2562aa9ecf4c642533cbf9161f5fe199af8335f686d442fd47785993f26dd541821
SHA512f26b09584e2995bbb7cbdaacfe4b4ea8b039a81c5a6b4711252f84f9d619134e2cd41aa6263306f0138ec539d101f79bc8875bd74907f5c88131fa10c7bc7397