hijackloader | d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slf.msi
Size

4.3MB
MD5

8e31046891c36ca794fb01262cd890d9
SHA1

7f812da89f328e871290be32bdead1fc869377d6
SHA256

d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
SHA512

95c4c8f0196a8e373913fc41eb44c70fa8abbea38324993aa42ca05be5d6229430a4e2a4671a914a4f00986b75845c247a91809aae994ff835aa56614606840d
SSDEEP

98304:uo6S33tZCcSqsOEUalW+TTsKBqVauPWJg9tyEsM2:uQ3DCcOzUaleKB4NcOoH

Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba6-44.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 4544	1740	EHttpSrv.exe	86
PID 4544 set thread context of 4676	4544	cmd.exe	96

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\audiogram.tif	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\http_dll.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\mfc80u.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\Microsoft.VC80.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\Microsoft.VC80.MFC.manifest	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\Microsoft.VC80.MFCLOC.manifest	msiexec.exe
File created	C:\Program Files (x86)\Common Files\PackagerUpdt\msvcr80.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5779e3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BF9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5779e3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{507AAF69-5088-4927-93F7-0604B81FDD0D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C77.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	EHttpSrv.exe

Loads dropped DLL 7 IoCs

pid	Process
1660	MsiExec.exe
1660	MsiExec.exe
1660	MsiExec.exe
1660	MsiExec.exe
1740	EHttpSrv.exe
1740	EHttpSrv.exe
4676	EHttpSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2432	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3372	msiexec.exe
3372	msiexec.exe
1740	EHttpSrv.exe
4544	cmd.exe
4544	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1740	EHttpSrv.exe
4544	cmd.exe
4544	cmd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2432	msiexec.exe
Token: SeSecurityPrivilege	3372	msiexec.exe
Token: SeCreateTokenPrivilege	2432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2432	msiexec.exe
Token: SeLockMemoryPrivilege	2432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2432	msiexec.exe
Token: SeMachineAccountPrivilege	2432	msiexec.exe
Token: SeTcbPrivilege	2432	msiexec.exe
Token: SeSecurityPrivilege	2432	msiexec.exe
Token: SeTakeOwnershipPrivilege	2432	msiexec.exe
Token: SeLoadDriverPrivilege	2432	msiexec.exe
Token: SeSystemProfilePrivilege	2432	msiexec.exe
Token: SeSystemtimePrivilege	2432	msiexec.exe
Token: SeProfSingleProcessPrivilege	2432	msiexec.exe
Token: SeIncBasePriorityPrivilege	2432	msiexec.exe
Token: SeCreatePagefilePrivilege	2432	msiexec.exe
Token: SeCreatePermanentPrivilege	2432	msiexec.exe
Token: SeBackupPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	2432	msiexec.exe
Token: SeShutdownPrivilege	2432	msiexec.exe
Token: SeDebugPrivilege	2432	msiexec.exe
Token: SeAuditPrivilege	2432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2432	msiexec.exe
Token: SeChangeNotifyPrivilege	2432	msiexec.exe
Token: SeRemoteShutdownPrivilege	2432	msiexec.exe
Token: SeUndockPrivilege	2432	msiexec.exe
Token: SeSyncAgentPrivilege	2432	msiexec.exe
Token: SeEnableDelegationPrivilege	2432	msiexec.exe
Token: SeManageVolumePrivilege	2432	msiexec.exe
Token: SeImpersonatePrivilege	2432	msiexec.exe
Token: SeCreateGlobalPrivilege	2432	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe
Token: SeRestorePrivilege	3372	msiexec.exe
Token: SeTakeOwnershipPrivilege	3372	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2432	msiexec.exe
2432	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1660	3372	msiexec.exe	84
PID 3372 wrote to memory of 1660	3372	msiexec.exe	84
PID 3372 wrote to memory of 1660	3372	msiexec.exe	84
PID 3372 wrote to memory of 1740	3372	msiexec.exe	85
PID 3372 wrote to memory of 1740	3372	msiexec.exe	85
PID 3372 wrote to memory of 1740	3372	msiexec.exe	85
PID 1740 wrote to memory of 4544	1740	EHttpSrv.exe	86
PID 1740 wrote to memory of 4544	1740	EHttpSrv.exe	86
PID 1740 wrote to memory of 4544	1740	EHttpSrv.exe	86
PID 1740 wrote to memory of 4544	1740	EHttpSrv.exe	86
PID 4544 wrote to memory of 4676	4544	cmd.exe	96
PID 4544 wrote to memory of 4676	4544	cmd.exe	96
PID 4544 wrote to memory of 4676	4544	cmd.exe	96
PID 4544 wrote to memory of 4676	4544	cmd.exe	96
PID 4544 wrote to memory of 4676	4544	cmd.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E4D0BCA986D7005A101F0B2E47BE8AB7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe
  "C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe
      "C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5779e6.rbs

Filesize
2KB

MD5
7961604c9b2d7c7dce722134dbbc2445

SHA1
dc46d1665575a84d2cb00ecf94af6dfcfc0c093c

SHA256
e7bf630a7d2e5da03a17dff9a83c7d6729c9f01ea48846edf2ba55d88e935921

SHA512
edb7d2b08326ec0d8a447d2e10a74d844cfd0811d8adb481cb1576503f8d1ae820c78713d3bebafccea2d4a96b07e1b71b703bda0b8984934a279a59cf948465

Download Submit
C:\Program Files (x86)\Common Files\PackagerUpdt\EHttpSrv.exe

Filesize
20KB

MD5
9329ba45c8b97485926a171e34c2abb8

SHA1
20118bc0432b4e8b3660a4b038b20ca28f721e5c

SHA256
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

SHA512
0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

Download Submit
C:\Program Files (x86)\Common Files\PackagerUpdt\MFC80U.DLL

Filesize
1.0MB

MD5
686b224b4987c22b153fbb545fee9657

SHA1
684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

SHA256
a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

SHA512
44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

Download Submit
C:\Program Files (x86)\Common Files\PackagerUpdt\audiogram.tif

Filesize
877KB

MD5
5124236fd955464317fbb1f344a1d2f2

SHA1
fe3a91e252f1dc3c3b4980ade7157369ea6f5097

SHA256
ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

SHA512
2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

Download Submit
C:\Program Files (x86)\Common Files\PackagerUpdt\http_dll.dll

Filesize
2.3MB

MD5
1e2a640f1a98da16fc61c865cec7d54e

SHA1
178563fab7b06e99551f66ba090d0911205a2fe4

SHA256
e296a18272a7bde471f37e51d49e6febe944ed4e78a2d5e79f1b2ee3330fb10f

SHA512
2426b1ce2bd01af6f34c56e1ef0290e521566ae1196a15aeb594bcf33793aa405ce01b4196bfe48de33320bab7a570a55110995025c54edcf790c2d10166fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7789b.LOG

Filesize
20KB

MD5
6da83ab2f21a2b36f4c7dc3f5ec513a9

SHA1
a6843a95a37fd62771e79a77b81719ac0b3b88ba

SHA256
9cc363dac57c1bc759a3e474a0d139ce88e330032a8746205f5aa1ae2f60ca35

SHA512
5aab58702fc4beac822d396a7a43da1be2f6526aaa327188a773c8e2fe02bd934e613b528d74beefb0261876d4581bb4c3159ae8e1656d4f04aa9ad3e445f5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\f27ce9c3

Filesize
1.0MB

MD5
c851e11c6397c0605360bf2d0382341b

SHA1
9f2752881d5f750ceffe03207cb0d56a04421eae

SHA256
945ea5ebae0093dbf406b09b757b9ed08c0073f1b8f5146145fbea52c4f06e3a

SHA512
28d02f8fa1e4ef0b4b046e0605796a71a54949a6aacfd27e88562e697031c0f327bd53b716eb16493ecb6534b8f8c91ac49fb2b71ae9efcd2314f46e3ee6d2fe

Download Submit
C:\Windows\Installer\MSI7A50.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/1740-45-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download
memory/1740-46-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download
memory/4544-54-0x00007FF902290000-0x00007FF902485000-memory.dmp

Filesize
2.0MB

Download
memory/4544-56-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download
memory/4676-58-0x0000000073210000-0x0000000074464000-memory.dmp

Filesize
18.3MB

Download
memory/4676-60-0x00007FF902290000-0x00007FF902485000-memory.dmp

Filesize
2.0MB

Download
memory/4676-61-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-64-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-65-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-67-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-68-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-69-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-70-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-71-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-72-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-73-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-74-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4676-75-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download