| File name: | Active-AppSetup-2023-As-PassKey.zip |
| Full analysis: | https://app.any.run/tasks/45aa1d66-765e-4107-8596-a3df59dd001d |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | January 08, 2024, 23:01:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 939F2251315FAA830D07D22964C10BE6 |
| SHA1: | B090333863BC2EA982DA736C7DA769390C80CEDB |
| SHA256: | D730CC1FF75B5C570086DB326B27B470CAF82C621AED2459DBCC54B25B314921 |
| SSDEEP: | 98304:prdUMtgVGRb7vUyL3ptVA2ES+0Tx2D5iZ76aDQUfeOWm6Vp2XtbFHQ8b85I4yuRM:NdyOTlT |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- Setup.exe (PID: 1584)
SUSPICIOUS
No suspicious indicators.INFO
Checks supported languages
- Setup.exe (PID: 1584)
Manual execution by a user
- WinRAR.exe (PID: 2080)
- Setup.exe (PID: 1584)
Reads the computer name
- Setup.exe (PID: 1584)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2080)
Creates files in the program directory
- Setup.exe (PID: 1584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:01:08 11:35:08 |
| ZipCRC: | 0x71202672 |
| ZipCompressedSize: | 3329228 |
| ZipUncompressedSize: | 3328718 |
| ZipFileName: | New-FullSetup-Use-2023-PassCode.rar |
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1584 | "C:\Users\admin\Desktop\Setup.exe" | C:\Users\admin\Desktop\Setup.exe | explorer.exe | ||||||||||||
User: admin Company: CANON INC. Integrity Level: MEDIUM Description: Universal Installer Windows Exit code: 0 Version: 2.5.30.7 Modules
| |||||||||||||||
| 2040 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Active-AppSetup-2023-As-PassKey.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2080 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New-FullSetup-Use-2023-PassCode.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
1 762
Read events
1 720
Write events
42
Delete events
0
Modification events
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
7
Suspicious files
3
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Libs\Injecting.dll | executable | |
MD5:DA2B07289F9853D57B19A5299E0E763F | SHA256:1D65ED9E476136A6608C7547539CEA5B5C888B177CA93AEAA67B2466ADA3982A | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Setup.exe | executable | |
MD5:9FB4770CED09AAE3B437C1C6EB6D7334 | SHA256:A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3 | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Libs\Extreme.Net.dll | executable | |
MD5:F79F0E3A0361CAC000E2D3553753CD68 | SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\premaxilla.txt | binary | |
MD5:E5702D81E02F240D4D1B15005AEDE704 | SHA256:8501C63E6BF0C96FFA935F03B468AFCD0ABEC7466482C8EE7755865D84C92509 | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Projects\Manager.cpp | text | |
MD5:9451543BFF4F778C6E546F939BB7D319 | SHA256:0392C3EBF60D8FD06983106D2ABC0AA0EF1BE86CD2CFF50AB5DD3DE6305F7F74 | |||
| 2040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2040.40410\New-FullSetup-Use-2023-PassCode.rar | compressed | |
MD5:D490780BA48B79A0C5C740AF560F1813 | SHA256:A8AE2B224E96EC5ED90EC868B628D8B649D9E0C90C9624882ACC082FD1265498 | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Projects\Source.cpp | text | |
MD5:21A3269D6CA92574BF8C1DF314C7E4B4 | SHA256:186C2C28F2EB634A8F44B151E35EF226CE539ADAA12C7BE2FD944CD763026F88 | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Libs\libgcc_s_dw2-1.dll | executable | |
MD5:49E51045F2951FD248318AC9F1CCB18E | SHA256:73B563935D96D328D5E13D05DDC35F24B69237E4C4B7B183EE66AEEB3CCD9C16 | |||
| 1584 | Setup.exe | C:\ProgramData\Canon_Inc_IC\UniversalInstaller\ServiceLog\CANON_UIX_SERVICELOG_20240108230232.TXT | text | |
MD5:49BE9CFC470974DBE965C3894B532598 | SHA256:53E8128F040698C5BB561945F5B8E8E3E910DC643F174873A9D4AEB7D054AFB1 | |||
| 2080 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2080.42940\Libs\libEGL.dll | executable | |
MD5:3ABAA006E1842B5A3CBED2A41476CAE8 | SHA256:A96CDB651C862120489B30B40A716C3F20B772AC4BA8FC70AACCBB1A568005F2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |