hijackloader | 4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi
Size

3.0MB
MD5

5d8dc4f7c58f4681dee4ee9f6ecc3498
SHA1

3eb23e362ecba770d842e99dd6bf386f1b6c0b47
SHA256

4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3
SHA512

765fa345c0fb369795e54e0506b6a8caebbffce1c7cbdf061520d9ece9a15b840fec967de692314e42b30ef29df1612dc12e70f19b1b87d6cbabc473b4f9558e
SSDEEP

49152:1W7g8r6F5mCmR+ZuBRQPcM6rUa1eH8CvQbFpsPNAbJU2DKcDahV3dZj:Zo6Au/6rUorpjbJTOcWTdZ

Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001904c-46.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2408	2612	EHttpSrv.exe	33
PID 2408 set thread context of 1660	2408	cmd.exe	36

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC7A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c69c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC989.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c699.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c699.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC802.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c69c.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	EHttpSrv.exe

Loads dropped DLL 8 IoCs

pid	Process
532	MsiExec.exe
532	MsiExec.exe
532	MsiExec.exe
2612	EHttpSrv.exe
2612	EHttpSrv.exe
2408	cmd.exe
2408	cmd.exe
1660	EHttpSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2900	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3064	msiexec.exe
3064	msiexec.exe
2612	EHttpSrv.exe
2408	cmd.exe
2408	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2612	EHttpSrv.exe
2408	cmd.exe
2408	cmd.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeSecurityPrivilege	3064	msiexec.exe
Token: SeCreateTokenPrivilege	2900	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2900	msiexec.exe
Token: SeLockMemoryPrivilege	2900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2900	msiexec.exe
Token: SeMachineAccountPrivilege	2900	msiexec.exe
Token: SeTcbPrivilege	2900	msiexec.exe
Token: SeSecurityPrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeLoadDriverPrivilege	2900	msiexec.exe
Token: SeSystemProfilePrivilege	2900	msiexec.exe
Token: SeSystemtimePrivilege	2900	msiexec.exe
Token: SeProfSingleProcessPrivilege	2900	msiexec.exe
Token: SeIncBasePriorityPrivilege	2900	msiexec.exe
Token: SeCreatePagefilePrivilege	2900	msiexec.exe
Token: SeCreatePermanentPrivilege	2900	msiexec.exe
Token: SeBackupPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeShutdownPrivilege	2900	msiexec.exe
Token: SeDebugPrivilege	2900	msiexec.exe
Token: SeAuditPrivilege	2900	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2900	msiexec.exe
Token: SeChangeNotifyPrivilege	2900	msiexec.exe
Token: SeRemoteShutdownPrivilege	2900	msiexec.exe
Token: SeUndockPrivilege	2900	msiexec.exe
Token: SeSyncAgentPrivilege	2900	msiexec.exe
Token: SeEnableDelegationPrivilege	2900	msiexec.exe
Token: SeManageVolumePrivilege	2900	msiexec.exe
Token: SeImpersonatePrivilege	2900	msiexec.exe
Token: SeCreateGlobalPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2900	msiexec.exe
2900	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 532	3064	msiexec.exe	31
PID 3064 wrote to memory of 2612	3064	msiexec.exe	32
PID 3064 wrote to memory of 2612	3064	msiexec.exe	32
PID 3064 wrote to memory of 2612	3064	msiexec.exe	32
PID 3064 wrote to memory of 2612	3064	msiexec.exe	32
PID 2612 wrote to memory of 2408	2612	EHttpSrv.exe	33
PID 2612 wrote to memory of 2408	2612	EHttpSrv.exe	33
PID 2612 wrote to memory of 2408	2612	EHttpSrv.exe	33
PID 2612 wrote to memory of 2408	2612	EHttpSrv.exe	33
PID 2612 wrote to memory of 2408	2612	EHttpSrv.exe	33
PID 2408 wrote to memory of 1660	2408	cmd.exe	36
PID 2408 wrote to memory of 1660	2408	cmd.exe	36
PID 2408 wrote to memory of 1660	2408	cmd.exe	36
PID 2408 wrote to memory of 1660	2408	cmd.exe	36
PID 2408 wrote to memory of 1660	2408	cmd.exe	36
PID 2408 wrote to memory of 1660	2408	cmd.exe	36

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7DCD971865603511B853424F8C45F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:532
- C:\Users\Admin\AppData\Local\EHttpSrv.exe
  "C:\Users\Admin\AppData\Local\EHttpSrv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\EHttpSrv.exe
      C:\Users\Admin\AppData\Local\EHttpSrv.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c69d.rbs

Filesize
2KB

MD5
684aa26fb43a5b8a9f73ec493512c151

SHA1
bcc253fb0a9e3f0a22f7709c94567482fc4d9759

SHA256
24d03eefe3d7804f4219f54bb7110378a43a07927ea7bd71df651c90d6020ea8

SHA512
7a8a1fb0dbc8c9a083cc7d57bf0ec8ac087e933a095519940949f94f642f70f0d2eaa582d3dd2a168a4ead3ca8f01d0d4ffad5c07e79dfa364d750b22e7096b8

Download Submit
C:\Users\Admin\AppData\Local\EHttpSrv.exe

Filesize
20KB

MD5
9329ba45c8b97485926a171e34c2abb8

SHA1
20118bc0432b4e8b3660a4b038b20ca28f721e5c

SHA256
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

SHA512
0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

Download Submit
C:\Users\Admin\AppData\Local\MFC80U.DLL

Filesize
1.0MB

MD5
686b224b4987c22b153fbb545fee9657

SHA1
684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

SHA256
a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

SHA512
44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6c5ee.LOG

Filesize
21KB

MD5
b227ac5c8b67d1fc1f2894c24b721b17

SHA1
3419087f0b3bd0dd674c2df1508db9db4f2c6ae7

SHA256
9c06faf2abd6999329a49631e890e1b0d95cbdb12795fb59ca80879ccb46aa28

SHA512
7a904f6a7a66189929f5547964e3105e5051ca0e288f63348ef8662cb6c64a0a23be625bddad4fd9558f8d57c18a255979cd598a28d39e911fa3377f1f93a0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae3d11bc

Filesize
1.0MB

MD5
926ea773dab6cdcc0b31b51f1fa5bff9

SHA1
042200d3056805a46742b413b54f1851ef31c341

SHA256
e1c33ab11c310a0cdf5e626e136a8e2299535f82da79053f9a09e4d8016b8365

SHA512
a09caed854cc44f6a200266a57c41c7a997faf57df10a7a995f87ae5ca002bc0b8a0427e2ad96b678f9ce9e87161dd059e8170255729601860bb602179dab484

Download Submit
C:\Users\Admin\AppData\Local\audiogram.tif

Filesize
877KB

MD5
5124236fd955464317fbb1f344a1d2f2

SHA1
fe3a91e252f1dc3c3b4980ade7157369ea6f5097

SHA256
ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

SHA512
2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

Download Submit
C:\Users\Admin\AppData\Local\http_dll.dll

Filesize
883KB

MD5
4366cd6c5d795811822b9ccc3df3eab4

SHA1
30f6050729b4c08b7657454cb79dd5a3d463c606

SHA256
55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da

SHA512
4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

Download Submit
C:\Windows\Installer\MSIC6C8.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/1660-101-0x0000000071570000-0x00000000725D2000-memory.dmp

Filesize
16.4MB

Download
memory/1660-111-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-119-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-118-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-117-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-103-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/1660-104-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-108-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-109-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-116-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-112-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-113-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-114-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/1660-115-0x00000000001C0000-0x0000000000244000-memory.dmp

Filesize
528KB

Download
memory/2408-98-0x0000000074BA0000-0x0000000074D14000-memory.dmp

Filesize
1.5MB

Download
memory/2408-51-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2612-48-0x0000000074BA0000-0x0000000074D14000-memory.dmp

Filesize
1.5MB

Download
memory/2612-47-0x0000000074BA0000-0x0000000074D14000-memory.dmp

Filesize
1.5MB

Download