File name:

01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip

Full analysis: https://app.any.run/tasks/a5f0a384-b112-416e-b61a-ab5a4588e331
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: April 18, 2024, 13:58:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

93BA103F662E8DDBDA25EBC316887F76

SHA1:

F0F5850E3ADF4FE9A73FCD16AFD2132CC71A5AE0

SHA256:

943AFB9406571059DD842DD828D1CAA1EA28C8B91447460CED61B0E90008B2B6

SSDEEP:

98304:+6Au4g1NgkwlYZZskpOvFdGZwkqQWfwbxNt6u/ckSNZhACi+heVD+GHojLXCL7sO:4T0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 324)

    • Non-standard symbols in registry

      • POWERPNT.EXE (PID: 3072)
      • POWERPNT.EXE (PID: 2160)

  • INFO

    • Manual execution by a user

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • POWERPNT.EXE (PID: 3072)
      • POWERPNT.EXE (PID: 2160)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 324)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 324)

    • Checks supported languages

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Reads the computer name

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Creates files in the program directory

      • 01 CITACION DEMANDA.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:04:16 12:54:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CITACION DEMANDA JUZGADO CIVIL DEL CIRC/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #HIJACKLOADER 01 citacion demanda.exe powerpnt.exe no specs powerpnt.exe no specs #HIJACKLOADER 01 citacion demanda.exe

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1924"C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe" C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
IObit RttHlp
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\01 citacion demanda.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2160"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\blimp.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3072"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\blimp.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3852"C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe" C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
3221225477
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\01 citacion demanda.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 942
Read events
7 841
Write events
86
Delete events
15

Modification events

(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(324) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRDAF1.tmp.cvr
MD5:
SHA256:
3072POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRDC49.tmp.cvr
MD5:
SHA256:
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exeexecutable
MD5:A2D70FBAB5181A509369D96B682FC641
SHA256:8AED681AD8D660257C10D2F0E85AE673184055A341901643F27AFC38E5EF8473
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\rtl120.bplexecutable
MD5:ADF82ED333FB5567F8097C7235B0E17F
SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
385201 CITACION DEMANDA.exeC:\ProgramData\IObit\IObitRtt\DBRtt.eptbinary
MD5:92F65D0A348130615D380B67D9BE0B85
SHA256:9C9750F31C446092A435F0A61EEF66FC3BB2F99C0A82A4499C5C7F1CC328986B
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\vcl120.bplbinary
MD5:C594D746FF6C99D140B5E8DA97F12FD4
SHA256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso1201.tmpcompressed
MD5:112324B6F1275FCB20E76E1EC01FE2CF
SHA256:2252A704DD81E1F839894A44E9EC5594AD5A22B926AEEFA251FB2F3FF76D385D
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso416.tmpcompressed
MD5:112324B6F1275FCB20E76E1EC01FE2CF
SHA256:2252A704DD81E1F839894A44E9EC5594AD5A22B926AEEFA251FB2F3FF76D385D
3072POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\C00DC4A.tmptext
MD5:573FBEBE55D359BFCDDE6AC8C6138EF8
SHA256:D85816948B149AB468F00BEDD5E039D9ACA46BC41338C264D78C02EB859092C6
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\Register.dllexecutable
MD5:666B1DCD5010D1318F5CD86BD805A6B0
SHA256:181041B08549687BE4B907807BC4610B99BAFAC419BF401DFBE885D6318BEF14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip