analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | ITERHPGen.exe |
| Full analysis: | https://app.any.run/tasks/f5460478-4bb1-44eb-ab04-cefd76faf0ed |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | October 04, 2024 at 06:31:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | AAAAA393163908E398AB99EB7E669E77 |
| SHA1: | 8B7BFB30142C3CDF3EFC03E5C4374F9F5086F105 |
| SHA256: | 23F1FDBD793CAF26CA17D0C0C0A07153A79F18A37B2949F7B9C91B37E36305F2 |
| SSDEEP: | 98304:+vJ6Z9edagU3hHjT/uj1Omrscu+K9mwcM29QGAHhJ2uv/n0X5pEtrewhPdo/H1Ib:7z8w |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- ITERHPGen.exe (PID: 2380)
SUSPICIOUS
No suspicious indicators.INFO
Checks supported languages
- ITERHPGen.exe (PID: 2380)
Create files in a temporary directory
- ITERHPGen.exe (PID: 2380)
Manual execution by a user
- ITERHPGen.exe (PID: 4056)
- explorer.exe (PID: 1876)
Reads the computer name
- ITERHPGen.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:05:20 22:47:23+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 6249472 |
| InitializedDataSize: | 2278912 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5f7310 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.6.0.0 |
| ProductVersionNumber: | 1.6.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | VOVSOFT |
| FileDescription: | Visual Notes |
| FileVersion: | 1.6.0.0 |
| InternalName: | Visual Notes |
| LegalCopyright: | VOVSOFT |
| LegalTrademarks: | VOVSOFT |
| OriginalFileName: | vnotes.exe |
| ProgramID: | com.vovsoft.vnotes |
| ProductName: | Visual Notes |
| ProductVersion: | 1.6.0.0 |
| Comments: | VOVSOFT |
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1876 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2380 | "C:\Users\admin\Downloads\ITERHPGen.exe" | C:\Users\admin\Downloads\ITERHPGen.exe | explorer.exe | ||||||||||||
User: admin Company: VOVSOFT Integrity Level: MEDIUM Description: Visual Notes Exit code: 3221225477 Version: 1.6.0.0 Modules
| |||||||||||||||
| 4056 | "C:\Users\admin\Downloads\ITERHPGen.exe" | C:\Users\admin\Downloads\ITERHPGen.exe | explorer.exe | ||||||||||||
User: admin Company: VOVSOFT Integrity Level: MEDIUM Description: Visual Notes Version: 1.6.0.0 Modules
| |||||||||||||||
Total events
127
Read events
127
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4056 | ITERHPGen.exe | C:\Users\admin\AppData\Local\Temp\ebc85a78 | image | |
MD5:EB01176CB6863EAB3D6489AA6B439820 | SHA256:BDBCCC5EEF6919E5388B94DAB3301DDA602837CEDAEAD3B29AF0E7A1DDAD8F59 | |||
| 2380 | ITERHPGen.exe | C:\Users\admin\AppData\Local\Temp\e6d18243 | image | |
MD5:EB01176CB6863EAB3D6489AA6B439820 | SHA256:BDBCCC5EEF6919E5388B94DAB3301DDA602837CEDAEAD3B29AF0E7A1DDAD8F59 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 239.255.255.250:3702 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |