Malware analysis processhacker-2.39-bin.zip Malicious activity

Add for printing

File name:	processhacker-2.39-bin.zip
Full analysis:	https://app.any.run/tasks/7af2d1e6-2929-47bb-ba83-23ff7c92e774
Verdict:	Malicious activity
Analysis date:	June 11, 2024, 00:34:03
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	B444CF14642CE9B8D75E079166A5DF0B
SHA1:	8E8F8423D163D922242B8B7D85427664F77EDC97
SHA256:	2AFB5303E191DDE688C5626C3EE545E32E52F09DA3B35B20F5E0D29A418432F5
SSDEEP:	98304:jDqt5TrOmlLB/7rTOqcXfOzJR1qioDLK2EbhQ:3sTrHlB73OqX4ioDfshQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.1.22000.0
Adobe Acrobat (64-bit) (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla 3.65.0 (3.65.0)
Google Chrome (123.0.6312.86)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java 8 Update 351 (64-bit) (8.0.3510.10)
Java Auto Updater (2.8.351.10)
Microsoft Edge (122.0.2365.92)
Microsoft Edge Update (1.3.185.17)
Microsoft Edge WebView2 Runtime (103.0.1264.77)
Microsoft Office Ev ve İş 2021 - tr-tr (16.0.16626.20134)
Microsoft Office Famille et Petite Entreprise 2021 - fr-fr (16.0.16626.20134)
Microsoft Office Hogar y Empresas 2021 - es-es (16.0.16626.20134)
Microsoft Office Home and Business 2021 - de-de (16.0.16626.20134)
Microsoft Office Home and Business 2021 - en-us (16.0.16626.20134)
Microsoft Office Home and Business 2021 - it-it (16.0.16626.20134)
Microsoft Office Home and Business 2021 - ja-jp (16.0.16626.20134)
Microsoft Office Home and Business 2021 - pt-br (16.0.16626.20134)
Microsoft Office Home 및 Business 2021 - ko-kr (16.0.16626.20134)
Microsoft Office для дома и бизнеса 2021 - ru-ru (16.0.16626.20134)
Microsoft OneDrive (22.077.0410.0007)
Microsoft Update Health Tools (4.75.0.0)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.16626.20118)
Office 16 Click-to-Run Licensing Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
Office 16 Click-to-Run Localization Component (16.0.16626.20118)
PowerShell 7-x64 (7.3.5.0)
VLC media player (3.0.11)
VLC media player 3.0.17 (64-bit) (3.0.17.0)
WinRAR 5.91 (64-bit) (5.91.0)

Hotfixes

Client LanguagePack Package
DotNetRollup
Ethernet Client Intel E1i68x64 FOD Package
Ethernet Client Intel E2f68 FOD Package
Ethernet Client Realtek Rtcx21x64 FOD Package
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5011048
Kernel LA57 FoD Package
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad System FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack 795
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
Wifi Client Broadcom Bcmpciedhd63 FOD Package
Wifi Client Broadcom Bcmwl63a FOD Package
Wifi Client Broadcom Bcmwl63al FOD Package
Wifi Client Intel Netwbw02 FOD Package
Wifi Client Intel Netwew00 FOD Package
Wifi Client Intel Netwew01 FOD Package
Wifi Client Intel Netwlv64 FOD Package
Wifi Client Intel Netwns64 FOD Package
Wifi Client Intel Netwsw00 FOD Package
Wifi Client Intel Netwtw02 FOD Package
Wifi Client Intel Netwtw04 FOD Package
Wifi Client Intel Netwtw06 FOD Package
Wifi Client Intel Netwtw08 FOD Package
Wifi Client Marvel Mrvlpcie8897 FOD Package
Wifi Client Qualcomm Athw8x FOD Package
Wifi Client Qualcomm Athwnx FOD Package
Wifi Client Qualcomm Qcamain10x64 FOD Package
Wifi Client Ralink Netr28x FOD Package
Wifi Client Realtek Rtl8187se FOD Package
Wifi Client Realtek Rtl8192se FOD Package
Wifi Client Realtek Rtl819xp FOD Package
Wifi Client Realtek Rtl85n64 FOD Package
Wifi Client Realtek Rtwlane FOD Package
Wifi Client Realtek Rtwlane01 FOD Package
Wifi Client Realtek Rtwlane13 FOD Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2808)
SUSPICIOUS
- Drops a system driver (possible attempt to evade defenses)
  - WinRAR.exe (PID: 2808)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 2808)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 2808)
  - ProcessHacker.exe (PID: 1536)
- Checks Windows Trust Settings
  - ProcessHacker.exe (PID: 1536)
- Reads the Internet Settings
  - ProcessHacker.exe (PID: 1536)
- Reads settings of System Certificates
  - ProcessHacker.exe (PID: 1536)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2808)
- Checks supported languages
  - ProcessHacker.exe (PID: 1536)
- Reads the computer name
  - ProcessHacker.exe (PID: 1536)
- Manual execution by a user
  - ProcessHacker.exe (PID: 1536)
- Reads CPU info
  - ProcessHacker.exe (PID: 1536)
- Reads the time zone
  - ProcessHacker.exe (PID: 1536)
- Reads the machine GUID from the registry
  - ProcessHacker.exe (PID: 1536)
- Reads Environment values
  - ProcessHacker.exe (PID: 1536)
- Checks proxy server information
  - ProcessHacker.exe (PID: 1536)
- Reads the software policy settings
  - ProcessHacker.exe (PID: 1536)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2016:03:29 12:18:08
ZipCRC:	0x34beb5ab
ZipCompressedSize:	7294
ZipUncompressedSize:	25995
ZipFileName:	CHANGELOG.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1536

"C:\Users\admin\Desktop\x64\ProcessHacker.exe"

C:\Users\admin\Desktop\x64\ProcessHacker.exe

explorer.exe

User:

admin

Company:

wj32

Integrity Level:

HIGH

Description:

Process Hacker

Version:

2.39.0.124

Modules

Images
c:\users\admin\desktop\x64\processhacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\win32u.dll

2808

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\processhacker-2.39-bin.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5816

"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Version:

10.0.22000.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

10 415

Read events

10 406

Write events

Delete events

Modification events


(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500590AC81797BBDA01
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\processhacker-2.39-bin.zip
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2808) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1536) ProcessHacker.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KProcessHacker3\Parameters
Operation:	write	Name:	SecurityLevel
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\ExtendedNotifications.dll		executable
		MD5:BE4DC4D2D1D05001AB0BB2BB8659BFAD	SHA256:61E8CD8DE80A5C0D7CED280FE04AD8387A846A7BF2EE51BCBBA96B971C7C1795
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\ProcessHacker.sig		binary
		MD5:2CCB4420D40893846E1F88A2E82834DA	SHA256:519C2C2CA0CAF00DB5B3EB2B79DFE42E6128161C13AEB4B4D8B86FBFFC67E3D4
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\NetworkTools.dll		executable
		MD5:D6BED1D6FDBED480E32FDD2DD4C13352	SHA256:476AA6AF14DD0B268786E32543B9A6917A298D4D90E1015DAC6FB2B522CF5D2E
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\DotNetTools.dll		executable
		MD5:B16CE8BA8E7F0EE83EC1D49F2D0AF0A7	SHA256:B4CC0280E2CAA0335361172CB7D673F745DEFC78299DED808426FFBC2458E4D9
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\ToolStatus.dll		executable
		MD5:3788EFFF135F8B17A179D02334D505E6	SHA256:5713D40DEC146DBC819230DAEFE1B886FA6D6F6DBD619301BB8899562195CBAB
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\HardwareDevices.dll		executable
		MD5:A46C8BB886E0B9290E5DBC6CA524D61F	SHA256:ACD49F2AA36D4EFB9C4949E2D3CC2BD7AEE384C2CED7AA9E66063DA4150FCB00
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\ExtendedServices.dll		executable
		MD5:4858BDB7731BF0B46B247A1F01F4A282	SHA256:5AE7C0972FD4E4C4AE14C0103602CA854377FEFCBCCD86FA68CFC5A6D1F99F60
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\SbieSupport.dll		executable
		MD5:37CBFA73883E7E361D3FA67C16D0F003	SHA256:57C56F7B312DC1F759E6AD039AAC3F36CE5130D259EB9FAAD77239083398308B
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\UserNotes.dll		executable
		MD5:E48C789C425F966F5E5EE3187934174F	SHA256:FC9D0D0482C63AB7F238BC157C3C0FED97951CCF2D2E45BE45C06C426C72CB52
2808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2808.37254\x64\plugins\Updater.dll		executable
		MD5:6976B57C6391F54DBD2828A45CA81100	SHA256:0C11CDC3765FFB53BA9707B6F99EC17AE4F7334578A935BA7BCBBC9C7BDEED2E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
2868	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	unknown
1536	ProcessHacker.exe	GET	301	104.18.37.111:80	http://processhacker.sourceforge.net/update.php	unknown	—	—	unknown
2828	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02514b431d1af569	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.19.105.250:80	go.microsoft.com	AKAMAI-AS	DE	unknown
4552	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5264	svchost.exe	184.28.90.27:443	fs.microsoft.com	AKAMAI-AS	US	unknown
1536	ProcessHacker.exe	162.243.25.33:443	wj32.org	DIGITALOCEAN-ASN	US	unknown
2868	OfficeClickToRun.exe	51.132.193.104:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
2868	OfficeClickToRun.exe	192.229.221.95:80	—	EDGECAST	US	whitelisted
1536	ProcessHacker.exe	104.18.37.111:80	processhacker.sourceforge.net	CLOUDFLARENET	—	unknown
1536	ProcessHacker.exe	104.18.37.111:443	processhacker.sourceforge.net	CLOUDFLARENET	—	unknown
1536	ProcessHacker.exe	172.64.150.83:443	processhacker.sourceforge.io	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
go.microsoft.com	2.19.105.250	whitelisted
fs.microsoft.com	184.28.90.27	whitelisted
wj32.org	162.243.25.33	whitelisted
self.events.data.microsoft.com	51.132.193.104	whitelisted
172.210.232.199.in-addr.arpa	—	unknown
95.221.229.192.in-addr.arpa	—	unknown
10.73.50.20.in-addr.arpa	—	unknown
158.240.127.40.in-addr.arpa	—	unknown
250.105.19.2.in-addr.arpa	—	unknown
27.90.28.184.in-addr.arpa	—	unknown

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Microsoft Connection Test

Add for printing

No debug info

General Info

processhacker-2.39-bin.zip

B444CF14642CE9B8D75E079166A5DF0B

8E8F8423D163D922242B8B7D85427664F77EDC97

2AFB5303E191DDE688C5626C3EE545E32E52F09DA3B35B20F5E0D29A418432F5

98304:jDqt5TrOmlLB/7rTOqcXfOzJR1qioDLK2EbhQ:3sTrHlB73OqX4ioDfshQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Drops a system driver (possible attempt to evade defenses)

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads the Internet Settings

Reads settings of System Certificates

INFO

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Manual execution by a user

Reads CPU info

Reads the time zone

Reads the machine GUID from the registry

Reads Environment values

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings