File name:

01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip

Full analysis: https://app.any.run/tasks/a5f0a384-b112-416e-b61a-ab5a4588e331
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: April 18, 2024, 13:58:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

93BA103F662E8DDBDA25EBC316887F76

SHA1:

F0F5850E3ADF4FE9A73FCD16AFD2132CC71A5AE0

SHA256:

943AFB9406571059DD842DD828D1CAA1EA28C8B91447460CED61B0E90008B2B6

SSDEEP:

98304:+6Au4g1NgkwlYZZskpOvFdGZwkqQWfwbxNt6u/ckSNZhACi+heVD+GHojLXCL7sO:4T0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 324)

    • Non-standard symbols in registry

      • POWERPNT.EXE (PID: 3072)
      • POWERPNT.EXE (PID: 2160)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 324)

    • Reads the computer name

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Checks supported languages

      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Manual execution by a user

      • POWERPNT.EXE (PID: 2160)
      • POWERPNT.EXE (PID: 3072)
      • 01 CITACION DEMANDA.exe (PID: 3852)
      • 01 CITACION DEMANDA.exe (PID: 1924)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 324)

    • Creates files in the program directory

      • 01 CITACION DEMANDA.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:04:16 12:54:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: CITACION DEMANDA JUZGADO CIVIL DEL CIRC/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #HIJACKLOADER 01 citacion demanda.exe powerpnt.exe no specs powerpnt.exe no specs #HIJACKLOADER 01 citacion demanda.exe

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1924"C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe" C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
IObit RttHlp
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\01 citacion demanda.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2160"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\blimp.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3072"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\blimp.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3852"C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe" C:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
3221225477
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\01 citacion demanda.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\01-citacion demanda juzgado civil del circ\citacion demanda juzgado civil del circ\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 942
Read events
7 841
Write events
86
Delete events
15

Modification events

(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(324) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(324) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRDAF1.tmp.cvr
MD5:
SHA256:
3072POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRDC49.tmp.cvr
MD5:
SHA256:
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\blimp.pptxbinary
MD5:9B0A3C4AC5FBBC54414DE7BDDB6E4DD7
SHA256:9563FF30632D17CDD810D4F51C24A22DABC960C3A1DB2EE5F229DCF57CDB9EA9
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\01 CITACION DEMANDA.exeexecutable
MD5:A2D70FBAB5181A509369D96B682FC641
SHA256:8AED681AD8D660257C10D2F0E85AE673184055A341901643F27AFC38E5EF8473
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso1201.tmpcompressed
MD5:112324B6F1275FCB20E76E1EC01FE2CF
SHA256:2252A704DD81E1F839894A44E9EC5594AD5A22B926AEEFA251FB2F3FF76D385D
2160POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso416.tmpcompressed
MD5:112324B6F1275FCB20E76E1EC01FE2CF
SHA256:2252A704DD81E1F839894A44E9EC5594AD5A22B926AEEFA251FB2F3FF76D385D
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\vcl120.bplbinary
MD5:C594D746FF6C99D140B5E8DA97F12FD4
SHA256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\trial.sqlbinary
MD5:86EF8137A63B54454D12721ED0BDC8F8
SHA256:CE02C1401FB1C7BD28694CC899CD3E00336A30B55BE2448FFCB32243CD5B80EE
2160POWERPNT.EXEC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\~$blimp.pptxbinary
MD5:4733361B45F08621FE3F6F1362BCBE79
SHA256:F85558284CBAB47C2EB6170E0B9AE5D27B5231637A4C1675474F7135AD08BF4E
324WinRAR.exeC:\Users\admin\Desktop\01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC\CITACION DEMANDA JUZGADO CIVIL DEL CIRC\rtl120.bplexecutable
MD5:ADF82ED333FB5567F8097C7235B0E17F
SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
01-CITACION DEMANDA JUZGADO CIVIL DEL CIRC.zip