Analysis
-
max time kernel
97s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2025, 18:34
Behavioral task
behavioral1
Sample
CAAAAFBKFI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CAAAAFBKFI.exe
Resource
win10v2004-20250217-en
General
-
Target
CAAAAFBKFI.exe
-
Size
2.7MB
-
MD5
62f9ab4067af92388be75b2cf9956e20
-
SHA1
3f9040c33118341edb168689ad852f1cddd0309e
-
SHA256
c980444331ca7db229839e93c88dded4001943f0b71ec00d41f6ad3e76f5afb9
-
SHA512
47d881354cb8a99c54d8d92aea277d3c3d20508659378628aa9e606509e9ce8697214f0c00636d3f580d20cb6dab6b73e565cfbbd5dfb73201a7d43a9c7a4361
-
SSDEEP
49152:NamswIRUiME1+bu5kfl9KYhm8vKy/VLmtrShqFatM7XZhak:YmQ288iy9LxhQD7XZha
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/memory/1356-12-0x0000000000400000-0x00000000006B1000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1356 set thread context of 3676 1356 CAAAAFBKFI.exe 95 PID 3676 set thread context of 4504 3676 cmd.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3108 4504 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAAAFBKFI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1356 CAAAAFBKFI.exe 1356 CAAAAFBKFI.exe 3676 cmd.exe 3676 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1356 CAAAAFBKFI.exe 3676 cmd.exe 3676 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4504 MSBuild.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1356 wrote to memory of 3676 1356 CAAAAFBKFI.exe 95 PID 1356 wrote to memory of 3676 1356 CAAAAFBKFI.exe 95 PID 1356 wrote to memory of 3676 1356 CAAAAFBKFI.exe 95 PID 1356 wrote to memory of 3676 1356 CAAAAFBKFI.exe 95 PID 3676 wrote to memory of 4504 3676 cmd.exe 102 PID 3676 wrote to memory of 4504 3676 cmd.exe 102 PID 3676 wrote to memory of 4504 3676 cmd.exe 102 PID 3676 wrote to memory of 4504 3676 cmd.exe 102 PID 3676 wrote to memory of 4504 3676 cmd.exe 102 PID 3676 wrote to memory of 4504 3676 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\CAAAAFBKFI.exe"C:\Users\Admin\AppData\Local\Temp\CAAAAFBKFI.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 9644⤵
- Program crash
PID:3108
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4504 -ip 45041⤵PID:4264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710KB
MD5a8401638c5c4f58125d00702b962331b
SHA190a4e7dc9e077e954ff624b4a74eb7708dbb7956
SHA256407dcfcbea0fd529c8a2e9bee330c266a7f82843beaa8849c83863be89eecfcb
SHA5129e4aff5d784dbd52a6bb1f7833ca469bc40733355700d3dc32991fc0169cf53bb021e4f6ae3fff9f2708cfa92c0c574e99cb06c575da4b2c34e3e6fb2938480e