hijackloader | b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477

Resubmissions

13-02-2025 14:36

250213-ryptbazlcy 10

13-02-2025 12:03

250213-n75dksyjat 10

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-02-2025 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe
Size

10.9MB
MD5

c836c14219ca56536439cc008608740f
SHA1

a4e237dbd668e757595084872a921746edbcd418
SHA256

b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477
SHA512

d03cf84096cf6b34be6fa15f18a0e8b721b2f9400d1dd95f7e584b27c938c6b4f3ec72dd424c4f81d9af5917c607d8ae3c00c2e321b571d2ace024110a6a66d6
SSDEEP

196608:JrH67uot0SW/ZA9SL3oSzC1/OxwnIBSnCITfLb8MAFGrCaPiqXpAo83jVolDN/+K:Jvo2nZA9SMSzCl7YSnC8fLbUGr0UAH34

Score

10^/10

hijackloader defense_evasion discovery loader persistence privilege_escalation

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019fc3-127.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	netsh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.lnk	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	_is6F75.exe
1048	vmtoolsd.exe

Loads dropped DLL 10 IoCs

pid	Process
2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe
2912	_is6F75.exe
2912	_is6F75.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe
1048	vmtoolsd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 1452	1048	vmtoolsd.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_is6F75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmtoolsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	vmtoolsd.exe
1452	netsh.exe
1452	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1048	vmtoolsd.exe
1452	netsh.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2952 wrote to memory of 2912	2952	b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe	30
PID 2912 wrote to memory of 1048	2912	_is6F75.exe	31
PID 2912 wrote to memory of 1048	2912	_is6F75.exe	31
PID 2912 wrote to memory of 1048	2912	_is6F75.exe	31
PID 2912 wrote to memory of 1048	2912	_is6F75.exe	31
PID 1048 wrote to memory of 1452	1048	vmtoolsd.exe	32
PID 1048 wrote to memory of 1452	1048	vmtoolsd.exe	32
PID 1048 wrote to memory of 1452	1048	vmtoolsd.exe	32
PID 1048 wrote to memory of 1452	1048	vmtoolsd.exe	32
PID 1048 wrote to memory of 1452	1048	vmtoolsd.exe	32
PID 2912 wrote to memory of 2116	2912	_is6F75.exe	34
PID 2912 wrote to memory of 2116	2912	_is6F75.exe	34
PID 2912 wrote to memory of 2116	2912	_is6F75.exe	34
PID 2912 wrote to memory of 2116	2912	_is6F75.exe	34
PID 1452 wrote to memory of 1348	1452	netsh.exe	36
PID 1452 wrote to memory of 1348	1452	netsh.exe	36
PID 1452 wrote to memory of 1348	1452	netsh.exe	36
PID 1452 wrote to memory of 1348	1452	netsh.exe	36
PID 1452 wrote to memory of 1348	1452	netsh.exe	36
PID 1452 wrote to memory of 1348	1452	netsh.exe	36

C:\Users\Admin\AppData\Local\Temp\b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe
"C:\Users\Admin\AppData\Local\Temp\b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\{4D3F3385-B60B-4A3D-9F68-88F16C75F122}\_is6F75.exe
  "C:\Users\Admin\AppData\Local\Temp\{4D3F3385-B60B-4A3D-9F68-88F16C75F122}\_is6F75.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" ORIGINALSETUPEXENAME="b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\vmtoolsd.exe
    "C:\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\vmtoolsd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      4⤵
      Drops startup file
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\{4D3F3385-B60B-4A3D-9F68-88F16C75F122}\_is6F75.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a8b9380

Filesize
900KB

MD5
a7042cb10b5860552c28cf053f29e190

SHA1
47bb0699a1fce5faa857e751d7cbf4af4eb71162

SHA256
3b659564e9b400481209e5447518441557b3ebe2491d646e16d38bff4a35870b

SHA512
804141958e43482ac8b49b21317680abeb7063c4e07eceb2b21140fb596ae3a08dddeef16b26ac8adbc77c893a4be39e235b39267dc510f2d213f605d3a01229

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4D3F3385-B60B-4A3D-9F68-88F16C75F122}\SuiteSetup.ini

Filesize
127B

MD5
e45a9bc0a5f9a8334ddc22c1d6f2a182

SHA1
8251edf84a83f435907d9f54626b95882fc85de4

SHA256
c32b270d5d13fd5ea5616834517bc1591c4a5f8a392bed3dc7d70f3fbf79b75f

SHA512
a7a93b5e17226c9abb1e2005cdd2e54cea616f691f525bfb438509c616ca1f4f8179fc34cb31fad74fc8268895bd61b793618d05724b0d3a2e7f2b3a95df900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\crinoid.jpeg

Filesize
723KB

MD5
be07f9c4b1e294459ca4d3485b36e417

SHA1
224da0cb9bd665b690166f63e37538dd7479c340

SHA256
58eb477af0311544b8939d99f22dce69edcf3ad918274102c093966f1b4612f4

SHA512
f1f9fbb1b498e63eaf3ec5cf382eb5f10720213e39077f1ee4410dd06ecc3421fa49cf5646d9292c9dee60a29beb0b65d268dc39ed5514908670b8a80bd3b35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\ISLogoSmall.png

Filesize
1KB

MD5
0de9d9bd4ae583015157d5d3bc77801f

SHA1
6201c31badab2c50fd0c619704622e0e0cad9f5e

SHA256
3039e1e23afc42bd3c07a8f4b65fb5d0377ca70f9f4ffb6fd7e7f33d82d837d1

SHA512
b393ad1dadb60723b6032c0dc6cb9c50709b516c5f5d414b788e79b944e8a4c988c2425798f4a9b8bd05bc6d18f37cb3fba55ce93228e13d38e974eb18ee3ba2

Download Submit
\Users\Admin\AppData\Local\Temp\{4D3F3385-B60B-4A3D-9F68-88F16C75F122}\_is6F75.exe

Filesize
10.9MB

MD5
c836c14219ca56536439cc008608740f

SHA1
a4e237dbd668e757595084872a921746edbcd418

SHA256
b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477

SHA512
d03cf84096cf6b34be6fa15f18a0e8b721b2f9400d1dd95f7e584b27c938c6b4f3ec72dd424c4f81d9af5917c607d8ae3c00c2e321b571d2ace024110a6a66d6

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\glib-2.0.dll

Filesize
1.0MB

MD5
2c86ec2ba23eb138528d70eef98e9aaf

SHA1
246846a3fe46df492f0887a31f7d52aae4faa71a

SHA256
030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

SHA512
396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\gmodule-2.0.dll

Filesize
24KB

MD5
b0a421b1534f3194132ec091780472d8

SHA1
699b1edc2cb19a48999a52a62a57ffc0f48f1a78

SHA256
2d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b

SHA512
ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\gobject-2.0.dll

Filesize
281KB

MD5
24a7a712160abc3f23f7410b18de85b8

SHA1
a01c3e116b6496c9feaa2951f6f6633bb403c3a1

SHA256
78dd76027e10c17824978db821777fcaa58d7cd5d5eb9d80d6ee817e26b18ab8

SHA512
d1f14a7bd44e1fc9bfc61f0b751ee6e0677322807ce5621206eeef898bab6c71ef1464962b20dc50f706084e53281a0d4b6d9142c6c1170a1e0a5fe4b12171df

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\gthread-2.0.dll

Filesize
31KB

MD5
78cf6611f6928a64b03a57fe218c3cd4

SHA1
c3f167e719aa944af2e80941ac629d39cec22308

SHA256
dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698

SHA512
5caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\iconv.dll

Filesize
1.1MB

MD5
862dfc9bf209a46d6f4874614a6631cc

SHA1
43216aae64df217cba009145b6f9ad5b97fe927a

SHA256
84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

SHA512
b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\intl.dll

Filesize
87KB

MD5
7dec946e99d79de06b04da51a280c1b7

SHA1
2e247806df913c7eb4a7dfbda26b34a54c94af95

SHA256
c0a46dd783b5bfdb8752a96626a117a0af21229c686c9a79a9aea71031d4e92e

SHA512
31274d6cd6153cc5f8bfa16c0ef1924be504352802615996f9dad1feb432f334751f335a7f03fc282b4cb967d9cab7d8a1ffea8dca5cea1f282129ea76ac43e9

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\vmtools.dll

Filesize
617KB

MD5
65c3c2a741838474a592679cda346753

SHA1
043d80766dd4e49d8dca6ac72b04e09b5491fdc9

SHA256
4e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8

SHA512
e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Coba\vmtoolsd.exe

Filesize
63KB

MD5
ae224c5e196ff381836c9e95deebb7d5

SHA1
910446a2a0f4e53307b6fdeb1a3e236c929e2ef4

SHA256
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

SHA512
f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c

Download Submit
\Users\Admin\AppData\Local\Temp\{AB254679-C067-460A-9E9D-9109180CA75C}\Setup_UI.dll

Filesize
911KB

MD5
f437389551192e19c60236f2175a40e5

SHA1
0f60f429c678787713597bc9268bc2a4d2dc68c6

SHA256
05652b16afce690e686495a22a3cb483d9c1055891e2af89e60f309b752e2398

SHA512
7b80bc23bd06ad37511f1ed561f804fc3fcfe68c3b9429f08a294aef4837edc383bddd50875aeecc8008db9462d3405498c92e8219fa37f61160e4a0f6dd1027

Download Submit
memory/1048-116-0x0000000000310000-0x0000000000424000-memory.dmp

Filesize
1.1MB

Download
memory/1048-128-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1048-130-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1048-129-0x0000000074836000-0x0000000074838000-memory.dmp

Filesize
8KB

Download
memory/1048-133-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/1348-299-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1348-298-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1348-300-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/1348-301-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1452-291-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/1452-296-0x0000000074830000-0x00000000749A4000-memory.dmp

Filesize
1.5MB

Download
memory/2912-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download