Malware analysis HitmanPro.Alert.3.7.10.Build.789.zip Malicious activity

Add for printing

File name:	HitmanPro.Alert.3.7.10.Build.789.zip
Full analysis:	https://app.any.run/tasks/59151bcb-6211-454b-b25f-32857e316520
Verdict:	Malicious activity
Analysis date:	September 18, 2019, 16:40:18
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	AE13C1E1D49A4F2A6603C99B1805B19D
SHA1:	38F656555CC2C82804C4F916AC016508667FA46E
SHA256:	DEB3DAA2AFBD18A1BADB9416AE246A6780CA7C5E6981FC849C3AA5D943D9D470
SSDEEP:	49152:nkl0MZNn4cLPLSxU5AJMvGg7Sck8C2SJyjAHNJEhdDqRH13TVG+fltIMS3b2bukv:n80M/n4lWQgGWAsHD03RGyl+Nqbd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2512)
  - hmpalert3.exe (PID: 2368)
  - hmpalert3.exe (PID: 3500)
  - hmpalert.exe (PID: 2880)
  - hmpalert.exe (PID: 2340)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 3932)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
  - hmpalert.exe (PID: 2736)
  - hmpalert.exe (PID: 3588)
  - hmpalert.exe (PID: 3960)
- Loads dropped or rewritten executable
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3696)
  - WinRAR.exe (PID: 3492)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
  - hmpalert3.exe (PID: 3500)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
- Creates files in the program directory
  - hmpalert3.exe (PID: 3500)
  - hmpalert.exe (PID: 2880)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
- Creates files in the Windows directory
  - hmpalert3.exe (PID: 3500)
- Application launched itself
  - hmpalert3.exe (PID: 2368)
  - hmpalert.exe (PID: 2880)
  - hmpalert.exe (PID: 2340)
  - taskmgr.exe (PID: 3988)
- Creates a software uninstall entry
  - hmpalert.exe (PID: 2880)
  - hmpalert3.exe (PID: 3500)
  - hmpalert.exe (PID: 3960)
- Creates files in the driver directory
  - hmpalert3.exe (PID: 3500)
- Executed as Windows Service
  - hmpalert.exe (PID: 2880)
  - hmpalert.exe (PID: 3960)
- Creates or modifies windows services
  - hmpalert3.exe (PID: 3500)
- Reads internet explorer settings
  - mmc.exe (PID: 2552)
  - mmc.exe (PID: 3184)
INFO
- Manual execution by user
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2512)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
  - WinRAR.exe (PID: 3492)
  - hmpalert3.exe (PID: 2368)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 3932)
  - hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
  - mmc.exe (PID: 3008)
  - mmc.exe (PID: 2552)
  - taskmgr.exe (PID: 3988)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2019:09:06 21:08:23
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	HitmanPro.Alert 3.7.10 Build 789 Multilingual/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3696	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HitmanPro.Alert.3.7.10.Build.789.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3492	"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zip" "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2512	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe"	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
2940	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe"	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe		explorer.exe
User: admin Integrity Level: HIGH Exit code: 0
2368	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe"	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe	—	explorer.exe
User: admin Company: SurfRight B.V. Integrity Level: MEDIUM Description: HitmanPro.Alert Exit code: 1 Version: 3.7.10.789
3500	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" /elevated /mode=cryptoguard	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe		hmpalert3.exe
User: admin Company: SurfRight B.V. Integrity Level: HIGH Description: HitmanPro.Alert Exit code: 0 Version: 3.7.10.789
2880	"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /service	C:\Program Files\HitmanPro.Alert\hmpalert.exe		services.exe
User: SYSTEM Company: SurfRight B.V. Integrity Level: SYSTEM Description: HitmanPro.Alert Exit code: 1 Version: 3.7.10.789
2340	"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /tray	C:\Program Files\HitmanPro.Alert\hmpalert.exe		hmpalert.exe
User: admin Company: SurfRight B.V. Integrity Level: MEDIUM Description: HitmanPro.Alert Exit code: 1 Version: 3.7.10.789
3932	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe"	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
2432	"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe"	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe		explorer.exe
User: admin Integrity Level: HIGH

Add for printing

Total events

2 218

Read events

1 979

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2880	hmpalert.exe	C:\ProgramData\HitmanPro.Alert\excalibur.db-journal		—
		MD5:—	SHA256:—
2340	hmpalert.exe	C:\Users\admin\AppData\Local\Temp\hmpalert.bf		—
		MD5:—	SHA256:—
3492	WinRAR.exe	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\README.TXT		text
		MD5:F6D08E520B01802D0C09572259C2D383	SHA256:B1D4148ECC50D43105DEDAADEB8942771DA3995581ED6F49BA3E9DB268352585
3500	hmpalert3.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert\HitmanPro.Alert.lnk		lnk
		MD5:B339D9852E031ACB28EADEA1A6F2967D	SHA256:51C3B3C75F94CF1264636E9E539916C314FEF6F2E39F5664E1754FB6E11E7338
3696	WinRAR.exe	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe		executable
		MD5:E8FE4B6D76994174F3A84086993ADC2A	SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D
2940	hitmanpro.alert.v3.7.0.717-patch.exe	C:\Users\admin\AppData\Local\Temp\XNX678.tmp		executable
		MD5:8F070B6EBDBE8DDE835486641BCA6D91	SHA256:62BD5B8ECD7EFF8CE624EC18014852DC91941C485EECC80CE4ECE99AD88AF4EE
2880	hmpalert.exe	C:\ProgramData\HitmanPro.Alert\reports\Report_1		binary
		MD5:CE63029BC382444D7F7985FE7EC5A442	SHA256:1934EF23E4B5EDA8C56F4D3045C0D126C84C9B448125D7FCE6C7B06FFDFAB946
3492	WinRAR.exe	C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe		executable
		MD5:0007A329177A5BBDCC46ECF739C8680F	SHA256:A51F9B67999DB9F9AF1A6026BAFC630BE723F11BD0B9754D031A9CF5BD34A563
3500	hmpalert3.exe	C:\Windows\system32\drivers\hmpalert.sys		executable
		MD5:105249813BDB57627FDB2DB9B5D47D3A	SHA256:1F49716B6BB6D2EACF8C50BCCC6D3928716E557FAD4299735284AD67F1CCC2C9
3500	hmpalert3.exe	C:\Program Files\HitmanPro.Alert\hmpalert.exe		executable
		MD5:E8FE4B6D76994174F3A84086993ADC2A	SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2880	hmpalert.exe	POST	200	40.71.250.191:80	http://activate.hitmanpro.nl/activaterequest.aspx	US	—	—	suspicious
2880	hmpalert.exe	POST	200	40.71.250.191:80	http://activate.hitmanpro.nl/activaterequest.aspx	US	—	—	suspicious
2880	hmpalert.exe	POST	200	40.71.250.191:80	http://activate.hitmanpro.nl/activaterequest.aspx	US	text	1.50 Kb	suspicious
2880	hmpalert.exe	POST	200	40.71.250.191:80	http://activate.hitmanpro.nl/activaterequest.aspx	US	text	428 b	suspicious
2340	hmpalert.exe	POST	200	23.97.160.56:80	http://alert.hitmanpro.com/report.ashx	NL	text	29 b	suspicious
2340	hmpalert.exe	GET	304	185.105.204.28:80	http://updates.hitmanpro.com/hmpalert789.exe?f0a9340f09f2cb58c5b7f0ce694376520ac5d0b36b8072e080c66cfa92c4f18d	NL	binary	7.76 Kb	suspicious
2340	hmpalert.exe	GET	200	185.105.204.28:80	http://updates.hitmanpro.com/hmpalert-blm1.bf	NL	binary	7.76 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2880	hmpalert.exe	40.71.250.191:80	activate.hitmanpro.nl	Microsoft Corporation	US	whitelisted
2340	hmpalert.exe	23.97.160.56:80	alert.hitmanpro.com	Microsoft Corporation	NL	whitelisted
2340	hmpalert.exe	185.105.204.28:80	updates.hitmanpro.com	Astralus B.V.	NL	suspicious

DNS requests

Domain	IP	Reputation
alert.hitmanpro.com	23.97.160.56	suspicious
activate.hitmanpro.nl	40.71.250.191	suspicious
updates.hitmanpro.com	185.105.204.28	suspicious

Threats

No threats detected

Add for printing

Process	Message
hmpalert.exe	Driver: IOCTL_002221C8 failed (error 50)
hmpalert.exe	Service: starting
hmpalert.exe	Driver: IOCTL_00222000 failed (error 50)
hmpalert.exe	Service: mode 2
hmpalert.exe	FalsePositiveManager: not initialized
hmpalert.exe	Settings: FlyoutFrequency failed
hmpalert.exe	Settings: WindowBorder failed
hmpalert.exe	Settings: WindowBorderAutoHide failed
hmpalert.exe	Settings: WindowBorderKbdGuard failed
hmpalert.exe	Driver: IOCTL_00222084 failed (error 50)

General Info

HitmanPro.Alert.3.7.10.Build.789.zip

AE13C1E1D49A4F2A6603C99B1805B19D

38F656555CC2C82804C4F916AC016508667FA46E

DEB3DAA2AFBD18A1BADB9416AE246A6780CA7C5E6981FC849C3AA5D943D9D470

49152:nkl0MZNn4cLPLSxU5AJMvGg7Sck8C2SJyjAHNJEhdDqRH13TVG+fltIMS3b2bukv:n80M/n4lWQgGWAsHD03RGyl+Nqbd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the program directory

Creates files in the Windows directory

Application launched itself

Creates a software uninstall entry

Creates files in the driver directory

Executed as Windows Service

Creates or modifies windows services

Reads internet explorer settings

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings