File name:

2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe

Full analysis: https://app.any.run/tasks/80cc53e8-2790-45ae-8c66-e0a1e95e64cc
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: July 25, 2024, 18:30:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
hijackloader
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9AB6880B493D9654733D6D4FAE0872C4

SHA1:

6A825737BB57A63D755FA68C2362721639587D2D

SHA256:

2EC43E78F3C28FB3DBA7C9FC3D3A48A66E2CEEE4FF360CA13404CBF1F0B73A89

SSDEEP:

98304:ojJwV03KLCgO2yXJ3Bp/h8866XSW1yD02ttZ90mo8CKZPk4WgnJ1eAZPNOcRZacR:l22EdAc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe (PID: 1504)

    • HIJACKLOADER has been detected (YARA)

      • 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe (PID: 1504)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 188)

    • Reads the computer name

      • 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe (PID: 1504)

    • Checks supported languages

      • 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe (PID: 1504)

    • Checks proxy server information

      • slui.exe (PID: 188)

    • Create files in a temporary directory

      • 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe (PID: 1504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (45.2)
.exe | Win32 EXE PECompact compressed (generic) (43.6)
.exe | Win32 Executable (generic) (4.7)
.exe | Win16/32 Executable Delphi generic (2.1)
.exe | Generic Win/DOS Executable (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:11 09:19:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3019264
InitializedDataSize: 2093056
UninitializedDataSize: -
EntryPoint: 0x2e2888
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.0.6.5176
ProductVersionNumber: 7.0.6.5176
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: VirtualBox DHCP Server
InternalName: VBoxNetDHCPHardened
OriginalFileName: VBoxNetDHCP.exe
CompanyName: Vektor T13 Technologies LLC.
FileVersion: 7.0.6.155176
LegalCopyright: Copyright (C) 2018-2024 Vektor T13 Technologies LLC.
ProductName: Antidetect 4 Patreon Premium Edition (January 2024 r.1)
ProductVersion: 7.0.6.155176
PrivateBuild: Private build by User
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #HIJACKLOADER 2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1504"C:\Users\admin\Desktop\2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe" C:\Users\admin\Desktop\2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe
explorer.exe
User:
admin
Company:
Vektor T13 Technologies LLC.
Integrity Level:
MEDIUM
Description:
VirtualBox DHCP Server
Version:
7.0.6.155176
Modules
Images
c:\users\admin\desktop\2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
4 110
Read events
4 110
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
15042ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exeC:\Users\admin\AppData\Local\Temp\c5e1ec17image
MD5:E5BFF4E4D03BAB5F606CF7F76D3C8086
SHA256:4D4B01D97D0EB9FC777E8A7DA2D69A5E3BAF89491FAF68CE36C18FCD5AA0ACA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
20.42.65.88:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
401
4.209.32.198:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
binary
340 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3948
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3704
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4204
svchost.exe
4.208.221.206:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3948
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2ec43e78f3c28fb3dba7c9fc3d3a48a66e2ceee4ff360ca13404cbf1f0b73a89.exe