2ef3fa41128486d6759bbfc29a65c12e1417c2b19624c31f326d1a6d6e89b7ac

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
Size

1.8MB
MD5

5c75deeae8b11c6d2318c313673ed114
SHA1

5cb92d1966405a46d6f272ef5a8395ea0ad0f6a1
SHA256

2ef3fa41128486d6759bbfc29a65c12e1417c2b19624c31f326d1a6d6e89b7ac
SHA512

e444fe7070a6e699a5ebe6ae87c442b28d8cf4f1ebb03d684a863a202d7bf1a8e678c4b708faf665749f49f2c2c3de89c696398574e3b9d2db68887f7d216a40
SSDEEP

49152:DRPGoEzlgpp7oNB89z0lDyLYMCFI3BCYNIjPkCgbak:DRPjER/bI3BCGzik

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4672	svchost.exe
4292	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
4676	svchost.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\RegisterGet.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4292	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
4292	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4672	3444	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe	84
PID 3444 wrote to memory of 4672	3444	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe	84
PID 3444 wrote to memory of 4672	3444	2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe	84
PID 4672 wrote to memory of 4292	4672	svchost.exe	85
PID 4672 wrote to memory of 4292	4672	svchost.exe	85
PID 4672 wrote to memory of 4292	4672	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4292

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-10-31_5c75deeae8b11c6d2318c313673ed114_hijackloader_jeefo_magniber.exe

Filesize
1.7MB

MD5
e6f5789292d0ebc67109070235bcf085

SHA1
cf3cadf0b494ad4f127c33b438855d1797600365

SHA256
820fc4ecc75b03bb09c52f51180accc4125b5d974533b5c7c0bf5c63beef6df1

SHA512
3d16377d9e10d09a23a4fc607b9648860059e899192c142ad120efa63cb7dbe82227eff77748b18c97739ec9b2f15fd6b95733c5f6908931600dd6d44d71b4d0

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/3444-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-13-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4672-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4676-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4676-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4676-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4676-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download