File name:	Set@up#!Files-P@ssw0rD__~2502~_.zip
Full analysis:	https://app.any.run/tasks/6a0816d2-ce79-4ffd-bbca-907be92ed1de
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 25, 2024, 10:52:51
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	hijackloader loader lumma stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	553E70ACE4A49194CA7917E85F19CE87
SHA1:	82E875E141A211CD59830F4482CDEC94BFA0C9D6
SHA256:	31A8DEED75082F9897D824A0AEBADDA2ED2405CD8942B7B07BCFB2433316DA3A
SSDEEP:	196608:Ue6gmWkF2p+8FFD+ekaioC+FmbkM3d3mre3JTi8/v/sJPyHas2:qHHo+Qyeo+y3d3mTc/sJPyV2

ZipRequiredVersion:	788
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:02:25 02:11:30
ZipCRC:	0x6a665f87
ZipCompressedSize:	21337777
ZipUncompressedSize:	21380122
ZipFileName:	Set@up#!Files-P@ssw0rD__~2502~_.rar


(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500B56CCCCFD867DA01
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Set@up#!Files-P@ssw0rD__~2502~_.zip
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1432) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(5332) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithProgids
Operation:	write	Name:	WinRAR
Value:

PID	Process	Filename		Type
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AuditSettings.admx		xml
		MD5:9A36A7410B4EF98B36DA553E050B9788	SHA256:EBAC316580540B7EE8E399F890470527E456F2C6A103FCC899F4B2442D8E69F7
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\Biometrics.admx		xml
		MD5:4477D655300DCEC702C8A5306F52BBF0	SHA256:DB3071F9B86AE33E84FC2BAB130A139AB9E251BBFA0F25C25486F6004D23AF8E
1432	WinRAR.exe	C:\Users\admin\Desktop\Set@up#!Files-P@ssw0rD__~2502~_.rar		compressed
		MD5:7F8FB6D3EB2ED284C434D4F369572C3F	SHA256:0D6A739CCCC2439DC4EE491CC16129D2A92BE3B005B76861E24535D5ED6A25EC
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AppxPackageManager.admx		xml
		MD5:8F6EACF6BA3557C023B7EF52CF374796	SHA256:A57C185E3692BD976618A9C3D225B61F352931C61EBB4CEDEB1931FA4826DDD6
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AppXRuntime.admx		xml
		MD5:88D794EA092EF395433CFA321D06E5E4	SHA256:5AFC969E4212A6511F307385C99B8868E8C873183DC271BBB95BA571B24EB53E
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\ActiveXInstallService.admx		xml
		MD5:8DA98067914A630ADF461C878CCC961E	SHA256:DA28B81AD52F6E929EBEDEBA0FACB765037031061EC7CB53E08DF2031CBAE4C3
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AddRemovePrograms.admx		xml
		MD5:93FE765FEA18D3369319B1E2C2198ACA	SHA256:61583DFD5E07FB3ECEB722ABC37A285BA18188E7F5577DE41AB75E45906BBEAA
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AppCompat.admx		xml
		MD5:9F090D18F3BDB120480CC63F1BC5E5FD	SHA256:3377EAAE4A6F7CD036D70C5F3358870F29AC536C06A4FD784D10E1840201B1DB
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\AutoPlay.admx		xml
		MD5:99C0E5F09E95743EA9C0A3A6971F298A	SHA256:DADCF29EC6BEC77A29A5B7836228F91BD5FAEF58D54AEEF851B524593B1CD1C6
608	WinRAR.exe	C:\Users\admin\Desktop\Resource\CEIPEnable.admx		xml
		MD5:3360B68B429776B19A070725365D776E	SHA256:EC3A99EEDF207B7471485EB0F7583CF1FFE009D0BD3D968441F0EB8559FAEF0F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1412	svchost.exe	GET	200	2.16.164.35:80	http://www.msftconnecttest.com/connecttest.txt	unknown	text	22 b	unknown
3752	svchost.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?63f8edf39384d519	unknown	compressed	4.66 Kb	unknown
3752	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5180	msedge.exe	224.0.0.251:5353	—	—	—	unknown
4588	svchost.exe	239.255.255.250:1900	—	—	—	unknown
5944	svchost.exe	2.19.85.159:443	—	Akamai International B.V.	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1412	svchost.exe	2.16.164.42:80	—	Akamai International B.V.	NL	unknown
1412	svchost.exe	2.16.164.35:80	—	Akamai International B.V.	NL	unknown
3752	svchost.exe	40.126.32.72:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
3752	svchost.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
3752	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1696	win_rtm.090713-1255.exe	104.21.80.118:443	technologyenterdo.shop	CLOUDFLARENET	—	unknown

Domain	IP	Reputation
login.live.com	40.126.32.72 40.126.32.140 40.126.32.68 40.126.32.134 20.190.160.22 40.126.32.136 20.190.160.20 20.190.160.17	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
technologyenterdo.shop	104.21.80.118 172.67.180.132	unknown
bitbucket.org	104.192.141.1	shared
v20.events.data.microsoft.com	40.79.173.40	whitelisted
cs.dds.microsoft.com	20.82.217.86	whitelisted
v10.events.data.microsoft.com	20.50.201.200	whitelisted

PID	Process	Class	Message
1412	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
1676	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop)
1696	win_rtm.090713-1255.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)
1696	win_rtm.090713-1255.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)
1696	win_rtm.090713-1255.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)
1696	win_rtm.090713-1255.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)
1696	win_rtm.090713-1255.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)

General Info

Set@up#!Files-P@ssw0rD__~2502~_.zip

553E70ACE4A49194CA7917E85F19CE87

82E875E141A211CD59830F4482CDEC94BFA0C9D6

31A8DEED75082F9897D824A0AEBADDA2ED2405CD8942B7B07BCFB2433316DA3A

196608:Ue6gmWkF2p+8FFD+ekaioC+FmbkM3d3mre3JTi8/v/sJPyHas2:qHHo+Qyeo+y3d3mTc/sJPyV2

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Reads the Internet Settings

Process drops legitimate windows executable

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Reads settings of System Certificates

Searches for installed software

INFO

Drops the executable file immediately after the start

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks supported languages

Creates files or folders in the user directory

Manual execution by a user

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings