| File name: | AVISO JUDICIAL.REV |
| Full analysis: | https://app.any.run/tasks/7a734c33-a13b-4d39-807b-4d04acda4ba2 |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | January 25, 2024, 22:21:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 224419BAF9058657DAC7AB7BB9D2515E |
| SHA1: | 199FA6225B2E2A069BCB70F5A9196A14E9189D9E |
| SHA256: | EA5196BA2C7F87642B147F6A172A7574706E1111996CCD851F9436CFA10839C8 |
| SSDEEP: | 98304:bbCVRS5uvMEwb2r9qfhgfSzXQoIsF7mZO1W6zYBP5b0HRn5lsryndJC574XxxaDk:Qsq0 |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- 8-Notificacion juridica.exe (PID: 2728)
SUSPICIOUS
No suspicious indicators.INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2808)
Checks supported languages
- 8-Notificacion juridica.exe (PID: 2728)
- vlc.exe (PID: 2904)
Manual execution by a user
- 8-Notificacion juridica.exe (PID: 2728)
- vlc.exe (PID: 2904)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2808)
Reads the computer name
- 8-Notificacion juridica.exe (PID: 2728)
- vlc.exe (PID: 2904)
Creates files in the program directory
- 8-Notificacion juridica.exe (PID: 2728)
Reads the machine GUID from the registry
- vlc.exe (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2728 | "C:\Users\admin\Desktop\AVISO JUDICIAL\8-Notificacion juridica.exe" | C:\Users\admin\Desktop\AVISO JUDICIAL\8-Notificacion juridica.exe | explorer.exe | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: IObit RttHlp Exit code: 3221225477 Version: 11.0.0.0 Modules
| |||||||||||||||
| 2808 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\AVISO JUDICIAL.REV.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2904 | "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\Desktop\AVISO JUDICIAL\breakage.ogg" | C:\program files\VideoLAN\VLC\vlc.exe | explorer.exe | ||||||||||||
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Exit code: 0 Version: 3.0.11 Modules
| |||||||||||||||
Total events
1 887
Read events
1 867
Write events
20
Delete events
0
Modification events
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2808) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
5
Suspicious files
4
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2904 | vlc.exe | C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp2904 | text | |
MD5:B6A42639E4145410C03711A36D07F286 | SHA256:3655E9D96D5BC6A0A1AD1118CD918F1CE6986BE4F1CEF79567D2921C2C4036A1 | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\breakage.ogg | binary | |
MD5:25CEB30A246B5E35393C3014A8458610 | SHA256:23DF8661729E5CD150BC5821F3A3D57D918332C4E34CCA70EEC6495FCB5582D1 | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\vcl120.bpl | binary | |
MD5:C594D746FF6C99D140B5E8DA97F12FD4 | SHA256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\8-Notificacion juridica.exe | executable | |
MD5:A2D70FBAB5181A509369D96B682FC641 | SHA256:8AED681AD8D660257C10D2F0E85AE673184055A341901643F27AFC38E5EF8473 | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\fascinator.psd | binary | |
MD5:341F742F26F83CEE1F92949ADC093F71 | SHA256:F5D3EA252876201F71969AFA8B79C1839E04D85200C812457FFB689DB648E220 | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\rtl120.bpl | executable | |
MD5:ADF82ED333FB5567F8097C7235B0E17F | SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50 | |||
| 2904 | vlc.exe | C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock | text | |
MD5:84B28F7043166EC7AD90FD2A36CFB4FC | SHA256:D8947F0182CC96EA1631EC5480F190CAC0A7FBC5D695CC39CB260F6161A69223 | |||
| 2904 | vlc.exe | C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini | text | |
MD5:B6A42639E4145410C03711A36D07F286 | SHA256:3655E9D96D5BC6A0A1AD1118CD918F1CE6986BE4F1CEF79567D2921C2C4036A1 | |||
| 2808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2808.27112\AVISO JUDICIAL\Register.dll | executable | |
MD5:DD001E7A2F751F6C9E8C40E23307D102 | SHA256:E2B66236119BFEA1571F423A721B1C4495B2363A0AF83B8EC2EA728B4FDD7D7A | |||
| 2728 | 8-Notificacion juridica.exe | C:\ProgramData\IObit\IObitRtt\DBRtt.ept | binary | |
MD5:0D99B7BFB41127C45BD72117CD1D6E62 | SHA256:483BC8BB54BA240AE356B16A67A1892EBC4BC764DB6422C7E862FF90607E1E77 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Threats
Process | Message |
|---|---|
vlc.exe | main libvlc debug: revision 3.0.11-0-gdc0c5ced72
|
vlc.exe | main libvlc debug: VLC media player - 3.0.11 Vetinari
|
vlc.exe | main libvlc debug: Copyright © 1996-2020 the VideoLAN team
|
vlc.exe | main libvlc debug: using multimedia timers as clock source
|
vlc.exe | main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|
vlc.exe | main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
|
vlc.exe | main libvlc debug: min period: 1 ms, max period: 1000000 ms
|
vlc.exe | main libvlc debug: searching plug-in modules
|
vlc.exe | main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
|
vlc.exe | main libvlc debug: plug-ins loaded: 494 modules
|