| File name: | hitmanpro.bin.zip |
| Full analysis: | https://app.any.run/tasks/504b8586-7350-479b-80f7-29941aa8f77d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 17, 2024, 09:38:33 |
| OS: | Windows 10 Professional (build: 19045, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v5.1 to extract, compression method=AES Encrypted |
| MD5: | FB40097A4CD6F04FA5DD53A311C891D3 |
| SHA1: | D35D5BAABF72D2E78FFA16CA369788EA65019674 |
| SHA256: | 9B7F98CB3CFE3ADD9BFC7C38239346B38F48C4FC48CCC9490605464FDC82B77B |
| SSDEEP: | 98304:zvEU/nrI8JDfeX2eflJPjq9CXEJCcERqN4i+3XLdGIEFviy4EaZpZ+M/geleSsZf:15Mdzyr3xFSw3 |
MALICIOUS
Drops the executable file immediately after the start
- hitmanpro.exe (PID: 5184)
- WinRAR.exe (PID: 5988)
- hitmanpro.exe (PID: 3156)
Creates a writable file in the system directory
- hitmanpro.exe (PID: 3156)
Actions looks like stealing of personal data
- hitmanpro.exe (PID: 3156)
SUSPICIOUS
The process executes via Task Scheduler
- consent.exe (PID: 4936)
Payload loading activity detected
- hitmanpro.exe (PID: 5184)
Executable content was dropped or overwritten
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
Checks Windows Trust Settings
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
Potential Corporate Privacy Violation
- hitmanpro.exe (PID: 5184)
Reads security settings of Internet Explorer
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
Starts itself from another location
- hitmanpro.exe (PID: 5860)
Process requests binary or script from the Internet
- hitmanpro.exe (PID: 5184)
Creates a software uninstall entry
- hitmanpro.exe (PID: 3156)
Executes as Windows Service
- hmpsched.exe (PID: 4112)
- VSSVC.exe (PID: 4800)
Drops a system driver (possible attempt to evade defenses)
- hitmanpro.exe (PID: 3156)
Creates files in the driver directory
- hitmanpro.exe (PID: 3156)
Read startup parameters
- hitmanpro.exe (PID: 3156)
Searches for installed software
- hitmanpro.exe (PID: 3156)
- dllhost.exe (PID: 5428)
Reads browser cookies
- hitmanpro.exe (PID: 3156)
Adds/modifies Windows certificates
- hitmanpro.exe (PID: 3156)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5988)
Reads the machine GUID from the registry
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
Reads the software policy settings
- hitmanpro.exe (PID: 5184)
- consent.exe (PID: 4936)
- slui.exe (PID: 5056)
- hitmanpro.exe (PID: 3156)
Creates files or folders in the user directory
- hitmanpro.exe (PID: 5184)
Creates files in the program directory
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
Checks supported languages
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
- hitmanpro.exe (PID: 5860)
- hmpsched.exe (PID: 4112)
Checks proxy server information
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 3156)
- slui.exe (PID: 5056)
Reads the computer name
- hitmanpro.exe (PID: 5184)
- hitmanpro.exe (PID: 5860)
- hitmanpro.exe (PID: 3156)
- hmpsched.exe (PID: 4112)
Manual execution by a user
- hitmanpro.exe (PID: 5296)
- hitmanpro.exe (PID: 5184)
Create files in a temporary directory
- hitmanpro.exe (PID: 5184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 51 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2024:06:10 05:25:52 |
| ZipCRC: | 0x0a1625df |
| ZipCompressedSize: | 7816398 |
| ZipUncompressedSize: | 11662376 |
| ZipFileName: | hitmanpro.bin |
Total processes
88
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3156 | "C:\Users\admin\Desktop\hitmanpro.exe" /updated:"C:\Users\admin\AppData\Local\Temp\hitmanpro.exe" | C:\Users\admin\Desktop\hitmanpro.exe | hitmanpro.exe | ||||||||||||
User: admin Company: Sophos B.V. Integrity Level: HIGH Description: HitmanPro 3.8 Version: 3, 8, 36, 332 Modules
| |||||||||||||||
| 3732 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4112 | "C:\Program Files\HitmanPro\hmpsched.exe" | C:\Program Files\HitmanPro\hmpsched.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Sophos B.V. Integrity Level: SYSTEM Description: HitmanPro Scheduler Version: 3, 8, 36, 332 Modules
| |||||||||||||||
| 4800 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4936 | consent.exe 1188 298 06670B70 | C:\Windows\System32\consent.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Consent UI for administrative applications Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5056 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5184 | "C:\Users\admin\Desktop\hitmanpro.exe" | C:\Users\admin\Desktop\hitmanpro.exe | explorer.exe | ||||||||||||
User: admin Company: Sophos B.V. Integrity Level: HIGH Description: HitmanPro 3.8 Exit code: 0 Version: 3, 8, 34, 330 Modules
| |||||||||||||||
| 5296 | "C:\Users\admin\Desktop\hitmanpro.exe" | C:\Users\admin\Desktop\hitmanpro.exe | — | explorer.exe | |||||||||||
User: admin Company: Sophos B.V. Integrity Level: MEDIUM Description: HitmanPro 3.8 Exit code: 3221226540 Version: 3, 8, 34, 330 Modules
| |||||||||||||||
| 5428 | C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5624 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:6 | C:\Windows\System32\SrTasks.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
51 863
Read events
51 611
Write events
237
Delete events
15
Modification events
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle.zip | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\hitmanpro.bin.zip | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5988) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
Executable files
5
Suspicious files
13
Text files
0
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5428 | dllhost.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3156 | hitmanpro.exe | C:\Program Files\HitmanPro\HitmanPro.exe | executable | |
MD5:D4374C483BCCC0355A07C2037CFC12AD | SHA256:80DFD3EFC77EDF997A3ECE2754456C3263D4A320DF46293305EF11BBDCDF2CDC | |||
| 5184 | hitmanpro.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D18D57CBB2E18807F94D76FD2998D943 | der | |
MD5:A38748948C22858A379A91E1BD7474B9 | SHA256:C7617057D1A0ED59F58A1770A908FF69570EC9C418C9EA6E18F7AF2BDB5C77F8 | |||
| 5184 | hitmanpro.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:58798F4E971389608A61F8EF98E3AB6E | SHA256:A8C5C1A144E0F0158ED77D65D12B738895801F5F0840E13C5DC6FCB26E05E18A | |||
| 5184 | hitmanpro.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | der | |
MD5:F00525BDDA978EF8FAB03FECD9322D29 | SHA256:CF71E6456948FBDC112096F3A5B9272B0B4DF0B8AE86F4FCD3AA507B5462125F | |||
| 5184 | hitmanpro.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | binary | |
MD5:8505DEC9DD2B11BBAF3F425E6A48E989 | SHA256:3D3A7BD1E140BBA3A5303302335DBFDF51D029755C95ED292FF5D55563E9E2C7 | |||
| 3156 | hitmanpro.exe | C:\Users\Public\Desktop\HitmanPro.lnk | binary | |
MD5:8731503EEA2E5F40729EB0641ED2873C | SHA256:C9C526BBE0E37270E92C99A22F381A5ADC7D48D9C3E7A23C1B86D54124D6F4D4 | |||
| 3156 | hitmanpro.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\HitmanPro.lnk | binary | |
MD5:B9FA72B1C6028227013BEDF91F3AA241 | SHA256:09448EC50AC4DFF3C8C8F3B8864E17C9BDAEB8A96E7CF1BB71928DA3ED9C87A9 | |||
| 3156 | hitmanpro.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\Remove HitmanPro 3.8.lnk | binary | |
MD5:39FAA0C105FE7B54C455C3C02A2D87EC | SHA256:2C051DF58FA6FCB078EED36A901C9C314709F372291822D8F83B25DF8DA7C581 | |||
| 3156 | hitmanpro.exe | C:\WINDOWS\system32\drivers\hitmanpro37.sys | executable | |
MD5:F92E1D5078594FED58A75ABC3AF051DA | SHA256:680AF4704F11F438557526085DBC1F63AED705BDB458B00D7C1FE767B9690492 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
24
DNS requests
23
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5184 | hitmanpro.exe | HEAD | 200 | 185.105.204.28:80 | http://files.surfright.nl/HitmanPro.exe | unknown | — | — | whitelisted |
5184 | hitmanpro.exe | GET | 200 | 52.174.35.5:80 | http://scan.hitmanpro.com/banner.aspx?lc=en&v=3.8.34.330&c= | unknown | — | — | whitelisted |
5184 | hitmanpro.exe | GET | 200 | 185.105.204.28:80 | http://files.surfright.nl/HitmanPro.exe | unknown | — | — | whitelisted |
2344 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2344 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5184 | hitmanpro.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
5184 | hitmanpro.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | whitelisted |
5184 | hitmanpro.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAjXpjibhbpKD3HeSF5HgmA%3D | unknown | — | — | whitelisted |
3156 | hitmanpro.exe | GET | 200 | 52.174.35.5:80 | http://scan.hitmanpro.com/banner.aspx?lc=en&v=3.8.36.332&c= | unknown | — | — | whitelisted |
5896 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5184 | hitmanpro.exe | 52.174.35.5:80 | scan.hitmanpro.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5184 | hitmanpro.exe | 185.105.204.28:80 | files.surfright.nl | Signet B.V. | NL | unknown |
2344 | svchost.exe | 40.74.98.193:443 | v10.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | JP | unknown |
2344 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2344 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5184 | hitmanpro.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
3156 | hitmanpro.exe | 52.174.35.5:80 | scan.hitmanpro.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
2340 | slui.exe | 52.161.91.37:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
5896 | SIHClient.exe | 20.114.59.183:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
scan.hitmanpro.com |
| unknown |
files.surfright.nl |
| whitelisted |
login.live.com |
| whitelisted |
v10.events.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | PAYLOAD [ANY.RUN] XORed Windows executable has been loaded |