analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TF2+XHack.zip

Full analysis: https://app.any.run/tasks/b7f8c05f-00cc-41d4-84de-18399e1ad014
Verdict: Malicious activity
Analysis date: May 20, 2019, 11:16:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

6D72B32A304C968033819BCD8F7039F6

SHA1:

78B6CD8B699D73CF0D92CF90FC43FF9BA7209937

SHA256:

37024F8A28E3822BB6E0F775CF2F4297896558021D25679AC8FB9AAF895531C7

SSDEEP:

24576:kgYK2hbI9nT2hSyJTaXIY4Tm2aEQEMcNY144742QeCvv4lc4reh9uHMi/:pd9n6hSfXIx0i+484iCn4lbO9OMi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Extreme Injector v3.exe (PID: 4024)
      • Extreme Injector v3.exe (PID: 2768)
      • Extreme Injector v3.exe (PID: 2820)
      • Extreme Injector v3.exe (PID: 2548)
      • dxwebsetup.exe (PID: 2296)
      • dxwsetup.exe (PID: 4052)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 832)
      • Extreme Injector v3.exe (PID: 4024)
      • dxwsetup.exe (PID: 4052)
    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 2296)
    • Changes settings of System certificates

      • Extreme Injector v3.exe (PID: 4024)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3364)
      • dxwebsetup.exe (PID: 2296)
      • dxwsetup.exe (PID: 4052)
      • Extreme Injector v3.exe (PID: 4024)
    • Reads Environment values

      • Extreme Injector v3.exe (PID: 2768)
      • Extreme Injector v3.exe (PID: 4024)
    • Application launched itself

      • Extreme Injector v3.exe (PID: 2548)
      • Extreme Injector v3.exe (PID: 2820)
    • Removes files from Windows directory

      • dxwsetup.exe (PID: 4052)
    • Adds / modifies Windows certificates

      • Extreme Injector v3.exe (PID: 4024)
    • Creates files in the Windows directory

      • dxwsetup.exe (PID: 4052)
  • INFO

    • Manual execution by user

      • Extreme Injector v3.exe (PID: 2548)
    • Reads settings of System Certificates

      • Extreme Injector v3.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TF2 XHack/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:07:06 15:29:15
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe extreme injector v3.exe no specs extreme injector v3.exe extreme injector v3.exe no specs extreme injector v3.exe searchprotocolhost.exe no specs dxwebsetup.exe dxwsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TF2+XHack.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2820"C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exeWinRAR.exe
User:
admin
Company:
master131
Integrity Level:
MEDIUM
Description:
Extreme Injector
Exit code:
0
Version:
3.7.3.0
2768"C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Extreme Injector v3.exe
Extreme Injector v3.exe
User:
admin
Company:
master131
Integrity Level:
HIGH
Description:
Extreme Injector
Exit code:
0
Version:
3.7.3.0
2548"C:\Users\admin\Desktop\Extreme Injector v3.exe" C:\Users\admin\Desktop\Extreme Injector v3.exeexplorer.exe
User:
admin
Company:
master131
Integrity Level:
MEDIUM
Description:
Extreme Injector
Exit code:
0
Version:
3.7.3.0
4024"C:\Users\admin\Desktop\Extreme Injector v3.exe" C:\Users\admin\Desktop\Extreme Injector v3.exe
Extreme Injector v3.exe
User:
admin
Company:
master131
Integrity Level:
HIGH
Description:
Extreme Injector
Version:
3.7.3.0
832"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2296"C:\Users\admin\AppData\Local\Temp\ez25op3y.zoa\dxwebsetup.exe" C:\Users\admin\AppData\Local\Temp\ez25op3y.zoa\dxwebsetup.exe
Extreme Injector v3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX 9.0 Web setup
Exit code:
2852126720
Version:
9.29.1974.0
4052C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
dxwebsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX Setup
Exit code:
2852126720
Version:
4.9.0.0904
Total events
1 724
Read events
1 579
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
3364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3364.4787\TF2 XHack\X-HACK TF2.dll
MD5:
SHA256:
4052dxwsetup.exeC:\Windows\system32\directx\websetup\SETDD77.tmp
MD5:
SHA256:
4052dxwsetup.exeC:\Windows\system32\directx\websetup\SETDD78.tmp
MD5:
SHA256:
3364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\Read ME.txttext
MD5:23C867EDAC59D5D6CA73BAFF10040282
SHA256:13417E4D3B3E19A82B7F6A55BC9119F8CD6A7DA0B6E053671E681182880E66F3
4052dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:73B907C1E887490805CE6C13B7DC5E28
SHA256:E6495C2E08D456E94E53E606621DBE43F5EBFD73E4C2E269E31B5ECFBD1F1052
4052dxwsetup.exeC:\Windows\INF\setupapi.app.logtext
MD5:B08FB1F019363CB1833069EF53DBA586
SHA256:BC61319354A4D3DBCEAA8AD8DF94C9893F221A23FD7B21EAD74735A226B325F7
4052dxwsetup.exeC:\Windows\Temp\OLD4E33.tmp
MD5:
SHA256:
3364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\X-HACK TF2.dllexecutable
MD5:6D31CD45202DA09A69055694CE654130
SHA256:D402B9C95DB2787D71D296FFA65067830FF2E50F71675C1F7EA1B93B63F5D8CA
4024Extreme Injector v3.exeC:\Users\admin\Desktop\settings.xmlxml
MD5:7A19A8DBB127DEC0BBD5BD7CC609B14A
SHA256:05C9AB2D51F7100477D97316605FA7D976AAD5C687746C1FA77DD7731173EF75
2768Extreme Injector v3.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3364.1809\TF2 XHack\settings.xmlxml
MD5:87EA78350088549E7BF529C6BD2397D7
SHA256:7091DAB01D68AE1979313D53F6580B0415C26BB2047A96A23FBEB29C5F6F7905
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4024
Extreme Injector v3.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
4024
Extreme Injector v3.exe
23.210.249.93:443
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4024
Extreme Injector v3.exe
2.21.36.168:443
download.microsoft.com
GTT Communications Inc.
FR
malicious
2768
Extreme Injector v3.exe
151.101.64.133:443
raw.githubusercontent.com
Fastly
US
suspicious
2768
Extreme Injector v3.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared
www.microsoft.com
  • 23.210.249.93
whitelisted
download.microsoft.com
  • 2.21.36.168
whitelisted

Threats

No threats detected
Process
Message
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
Invalid parameter passed to C runtime function.
dxwsetup.exe
Invalid parameter passed to C runtime function.
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH