hijackloader | b2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26 | Triage

Analysis

max time kernel
93s
max time network
144s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
07/04/2025, 17:36

Sharing

Report Analysis Logs

General

Target

WinMergeU.exe
Size

6.8MB
MD5

7f6e0664d4c5bcb2e823194a4b7fed92
SHA1

aeec739892a9bbd88c4031095e1428a6264c672e
SHA256

b2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26
SHA512

9f408086fd148d8a2769c7f97e6c3aea19e9242bc07cc8f82cacd099541269e71a09621c8de2627733846000879598ab2c45dccc348794dc815238aa39379143
SSDEEP

98304:zv4Bj7wWhZtiabODR9KI586Tz+yVpzhdfm8oAOz+yzp0BMW:sBj7wmZtiabgRE2THpzjefU

Score

10^/10

hijackloader loader

Malware Config

Extracted

Family

hijackloader

Attributes

directory
%APPDATA%\EMDB
inject_dll
%windir%\SysWOW64\esent.dll

xor.hex

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/4388-0-0x00007FF7F0E30000-0x00007FF7F1513000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4388	WinMergeU.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4388	WinMergeU.exe
4388	WinMergeU.exe
4388	WinMergeU.exe

C:\Users\Admin\AppData\Local\Temp\WinMergeU.exe
"C:\Users\Admin\AppData\Local\Temp\WinMergeU.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4388-0-0x00007FF7F0E30000-0x00007FF7F1513000-memory.dmp

Filesize
6.9MB

Download
memory/4388-1-0x00007FFB16F20000-0x00007FFB17255000-memory.dmp

Filesize
3.2MB

Download