hijackloader | e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37

General

Target

e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37.msi
Size

3.0MB
MD5

da2c2debc2177026f359f4f06db67ea2
SHA1

c9b0cb497058b925ecb430d0e29d16fd0ca273a4
SHA256

e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
SHA512

9885d2dbec4e3599862fc76c56773de56944adfa09322b7c401550dcfbaa49e95bdf27daf1515873fdc9a4c56ad6ab8195e6b9556afc8e3488401174a5203f5d
SSDEEP

49152:Ch4L8r6F5mCmR+XuhqZL+H9IyKficUAG595WpZsNAaudSIu:Fo6NZLSIX6cZGZWUNAaud

Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\audiogram.tif	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EHttpSrv.execmd.exe

description pid process target process

PID 5060 set thread context of 816 5060 EHttpSrv.exe cmd.exe
PID 816 set thread context of 2588 816 cmd.exe EHttpSrv.exe

description	pid	process	target process
PID 5060 set thread context of 816	5060	EHttpSrv.exe	cmd.exe
PID 816 set thread context of 2588	816	cmd.exe	EHttpSrv.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA378.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579cad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0E4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA25D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e579cad.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D49.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

EHttpSrv.exe

pid process

5060 EHttpSrv.exe
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeEHttpSrv.exeEHttpSrv.exe

pid process

1552 MsiExec.exe
1552 MsiExec.exe
1552 MsiExec.exe
1552 MsiExec.exe
5060 EHttpSrv.exe
5060 EHttpSrv.exe
2588 EHttpSrv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1608 msiexec.exe

pid	process
5060	EHttpSrv.exe

pid	process
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
5060	EHttpSrv.exe
5060	EHttpSrv.exe
2588	EHttpSrv.exe

pid	process
1608	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EHttpSrv.execmd.exeEHttpSrv.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

msiexec.exeEHttpSrv.execmd.exe

pid process

2952 msiexec.exe
2952 msiexec.exe
5060 EHttpSrv.exe
816 cmd.exe
816 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

EHttpSrv.execmd.exe

pid process

5060 EHttpSrv.exe
816 cmd.exe
816 cmd.exe

pid	process
2952	msiexec.exe
2952	msiexec.exe
5060	EHttpSrv.exe
816	cmd.exe
816	cmd.exe

pid	process
5060	EHttpSrv.exe
816	cmd.exe
816	cmd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1608	msiexec.exe
Token: SeSecurityPrivilege	2952	msiexec.exe
Token: SeCreateTokenPrivilege	1608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1608	msiexec.exe
Token: SeLockMemoryPrivilege	1608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1608	msiexec.exe
Token: SeMachineAccountPrivilege	1608	msiexec.exe
Token: SeTcbPrivilege	1608	msiexec.exe
Token: SeSecurityPrivilege	1608	msiexec.exe
Token: SeTakeOwnershipPrivilege	1608	msiexec.exe
Token: SeLoadDriverPrivilege	1608	msiexec.exe
Token: SeSystemProfilePrivilege	1608	msiexec.exe
Token: SeSystemtimePrivilege	1608	msiexec.exe
Token: SeProfSingleProcessPrivilege	1608	msiexec.exe
Token: SeIncBasePriorityPrivilege	1608	msiexec.exe
Token: SeCreatePagefilePrivilege	1608	msiexec.exe
Token: SeCreatePermanentPrivilege	1608	msiexec.exe
Token: SeBackupPrivilege	1608	msiexec.exe
Token: SeRestorePrivilege	1608	msiexec.exe
Token: SeShutdownPrivilege	1608	msiexec.exe
Token: SeDebugPrivilege	1608	msiexec.exe
Token: SeAuditPrivilege	1608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1608	msiexec.exe
Token: SeChangeNotifyPrivilege	1608	msiexec.exe
Token: SeRemoteShutdownPrivilege	1608	msiexec.exe
Token: SeUndockPrivilege	1608	msiexec.exe
Token: SeSyncAgentPrivilege	1608	msiexec.exe
Token: SeEnableDelegationPrivilege	1608	msiexec.exe
Token: SeManageVolumePrivilege	1608	msiexec.exe
Token: SeImpersonatePrivilege	1608	msiexec.exe
Token: SeCreateGlobalPrivilege	1608	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1608 msiexec.exe
1608 msiexec.exe

pid	process
1608	msiexec.exe
1608	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeEHttpSrv.execmd.exe

description	pid	process	target process
PID 2952 wrote to memory of 1552	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 1552	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 1552	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 5060	2952	msiexec.exe	EHttpSrv.exe
PID 2952 wrote to memory of 5060	2952	msiexec.exe	EHttpSrv.exe
PID 2952 wrote to memory of 5060	2952	msiexec.exe	EHttpSrv.exe
PID 5060 wrote to memory of 816	5060	EHttpSrv.exe	cmd.exe
PID 5060 wrote to memory of 816	5060	EHttpSrv.exe	cmd.exe
PID 5060 wrote to memory of 816	5060	EHttpSrv.exe	cmd.exe
PID 5060 wrote to memory of 816	5060	EHttpSrv.exe	cmd.exe
PID 816 wrote to memory of 2588	816	cmd.exe	EHttpSrv.exe
PID 816 wrote to memory of 2588	816	cmd.exe	EHttpSrv.exe
PID 816 wrote to memory of 2588	816	cmd.exe	EHttpSrv.exe
PID 816 wrote to memory of 2588	816	cmd.exe	EHttpSrv.exe
PID 816 wrote to memory of 2588	816	cmd.exe	EHttpSrv.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1900F9D0030F07BEE3C7F86C053BABA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
  "C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
      C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579cb0.rbs

Filesize
2KB

MD5
3a537048304bad5c2e53a992d177b400

SHA1
d1954745220480c3324dff466638e7eb76903a23

SHA256
8c44061abba79f5d4b495249a370d63d16da3bae5c54fd11493a5909f30665ec

SHA512
b0411148d9a2a109ff35d708b43475d0777d634c5c49a179de43317ed4492b19fb47c5c498d762a373e1e22ac3f338eb479281c7e45275db7c896a9e50119671

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f1716e2

Filesize
1.0MB

MD5
dc2b9ee32866d65b98e04999a4cbf3f3

SHA1
dd826826af1827e158cea41461ff8225aed63b95

SHA256
15cee494cfe585bb7104c6aaac0cfed3a49fae1caa76c2e75b46a4236e5ce9f2

SHA512
0ac992919e0ade1cc6e4d6783d161c508bbad3f8c58c4719805fd18222bad8dd15208cdc7bc1251a4a4e2c593f5511276c3ec73f8415dfeafdfd11f553d9ef5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Filesize
20KB

MD5
9329ba45c8b97485926a171e34c2abb8

SHA1
20118bc0432b4e8b3660a4b038b20ca28f721e5c

SHA256
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

SHA512
0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

Filesize
1.0MB

MD5
686b224b4987c22b153fbb545fee9657

SHA1
684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

SHA256
a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

SHA512
44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI799bf.LOG

Filesize
21KB

MD5
f2c72e42a1975cfaa801142c47b208c6

SHA1
4a7e03a56d0915afd1331fc22eb598faf05ee1b7

SHA256
d8b84ef710110c45d1ed6184052c258b4f58ba6118fa48707c7644c2b6ab3516

SHA512
caa932a8a0f33a0d1f707337dafc4d530fd3a0172096f15b61c7df3df86da0ca894ea761be4a9bbf88cbf9a7265d3474cfa3e45b6a28c04d6f7f5aaf6e027666

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiogram.tif

Filesize
877KB

MD5
5124236fd955464317fbb1f344a1d2f2

SHA1
fe3a91e252f1dc3c3b4980ade7157369ea6f5097

SHA256
ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

SHA512
2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

Download Submit
C:\Users\Admin\AppData\Local\Temp\http_dll.dll

Filesize
883KB

MD5
4366cd6c5d795811822b9ccc3df3eab4

SHA1
30f6050729b4c08b7657454cb79dd5a3d463c606

SHA256
55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da

SHA512
4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

Download Submit
C:\Windows\Installer\MSI9D49.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/816-54-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

Filesize
2.0MB

Download
memory/816-56-0x0000000074280000-0x00000000743FB000-memory.dmp

Filesize
1.5MB

Download
memory/2588-58-0x0000000072E40000-0x0000000074094000-memory.dmp

Filesize
18.3MB

Download
memory/2588-67-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-75-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-60-0x00007FFD54710000-0x00007FFD54905000-memory.dmp

Filesize
2.0MB

Download
memory/2588-61-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-64-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-65-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-74-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-68-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-69-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-70-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-71-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-72-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2588-73-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/5060-51-0x0000000074280000-0x00000000743FB000-memory.dmp

Filesize
1.5MB

Download
memory/5060-45-0x0000000074280000-0x00000000743FB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads