File name: | crowdstrike-hotfix.zip |
Full analysis: | https://app.any.run/tasks/44c5069a-0de3-43b9-9c69-d41ffaee3265 |
Verdict: | Malicious activity |
Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
Analysis date: | July 22, 2024, 14:14:42 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
MD5: | 1E84736EFCE206DC973ACBC16540D3E5 |
SHA1: | FEF212EC979F2FE2F48641160AADEB86B83F7B35 |
SHA256: | C44506FE6E1EDE5A104008755ABF5B6ACE51F1A84AD656A2DCCC7F2C39C0ECA2 |
SSDEEP: | 98304:tqYE8lPCNYpYpkNU7Tfb5WK0ZLcCb9C52ycVfRRX2/o+czw94RF+XfUpyO7crJg1:bNDJ5+uzMWJ3 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | vcl120.bpl |
---|---|
ZipUncompressedSize: | 2012160 |
ZipCompressedSize: | 779055 |
ZipCRC: | 0x42981c68 |
ZipModifyDate: | 2024:07:19 07:46:20 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2768 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\crowdstrike-hotfix.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
7408 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\Setup.exe | WinRAR.exe | ||||||||||||
User: admin Company: iTop Inc. Integrity Level: MEDIUM Description: iTop Data Recovery Backup Exit code: 1 Version: 1.0.0.418 Modules
| |||||||||||||||
5444 | C:\WINDOWS\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe | Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
7608 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6364 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4024 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4976 | C:\WINDOWS\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
|
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\crowdstrike-hotfix.zip | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2768) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\Setup.exe | executable | |
MD5:371C165E3E3C1A000051B78D7B0E7E79 | SHA256:5AE3838D77C2102766538F783D0A4B4205E7D2CDBA4E0AD2AB332DC8AB32FEA9 | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\maddisAsm_.bpl | executable | |
MD5:84BC072F8EA30746F0982AFBDA3C638F | SHA256:52019F47F96CA868FA4E747C3B99CBA1B7AA57317BF8EBF9FCBF09AA576FE006 | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\maidenhair.cfg | binary | |
MD5:451049D3AC526F1ABDD704C3B1FED580 | SHA256:931308CFE733376E19D6CD2401E27F8B2945CEC0B9C696AEBE7029EA76D45BF6 | |||
7408 | Setup.exe | C:\Users\admin\AppData\Local\controlfm\vcl120.bpl | binary | |
MD5:849070EBD34CBAEDC525599D6C3F8914 | SHA256:B6F321A48812DC922B26953020C9A60949EC429A921033CFAF1E9F7D088EE628 | |||
7408 | Setup.exe | C:\Users\admin\AppData\Local\controlfm\battuta.flv | binary | |
MD5:8274785D42B79444767FB0261746FE91 | SHA256:BE074196291CCF74B3C4C8BD292F92DA99EC37A25DC8AF651BD0BA3F0D020349 | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\madbasic_.bpl | executable | |
MD5:DA03EBD2A8448F53D1BD9E16FC903168 | SHA256:D6D5FF8E9DC6D2B195A6715280C2F1BA471048A7CE68D256040672B801FDA0EA | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\rtl120.bpl | executable | |
MD5:630991830AFE0B969BD0995E697AB16E | SHA256:B1FCB0339B9EF4860BB1ED1E5BA0E148321BE64696AF64F3B1643D1311028CB3 | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\instrucciones.txt | text | |
MD5:11D67598BAFFEE39CB3827251F2A255E | SHA256:4F450ABAA4DAF72D974A830B16F91DEED77BA62412804DCA41A6D42A7D8B6FD0 | |||
2768 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2768.458\vclx120.bpl | executable | |
MD5:7DAA2B7FE529B45101A399B5EBF0A416 | SHA256:2BDF023C439010CE0A786EC75D943A80A8F01363712BBF69AFC29D3E2B5306ED | |||
7408 | Setup.exe | C:\Users\admin\AppData\Local\controlfm\rtl120.bpl | executable | |
MD5:630991830AFE0B969BD0995E697AB16E | SHA256:B1FCB0339B9EF4860BB1ED1E5BA0E148321BE64696AF64F3B1643D1311028CB3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4716 | svchost.exe | 40.126.32.140:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5620 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7856 | svchost.exe | 4.208.221.206:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2760 | svchost.exe | 40.113.110.67:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3412 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4716 | svchost.exe | 40.126.32.138:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5620 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
login.live.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4976 | explorer.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
4976 | explorer.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |