File name:

lnstaller_2024.008.20535_win64_86.zip

Full analysis: https://app.any.run/tasks/fffedf24-4b34-4754-b0f2-e8ce2971e877
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: March 22, 2024, 13:53:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

447B9BF54041F89E63724A7231C12DAF

SHA1:

866E0BC4A677E02DE03A8F4E1583021526F50FB0

SHA256:

F05F8DB2D43C5E36E363B60D9C73109995C91B105CA78BF480722EAD64B516F0

SSDEEP:

98304:vSbiJ3uWqnmkJXGmUiHNifAxsIT3SXYlJLLjeSt7hSfotZMewlzRo3DonT4Dx7iA:ov10zrc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2340)

    • HIJACKLOADER has been detected (YARA)

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

  • SUSPICIOUS

    • Reads the Internet Settings

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Reads security settings of Internet Explorer

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Reads settings of System Certificates

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Checks Windows Trust Settings

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

  • INFO

    • Manual execution by a user

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2340)

    • Checks supported languages

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Reads the computer name

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Checks proxy server information

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Reads the software policy settings

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Reads the machine GUID from the registry

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)

    • Creates files or folders in the user directory

      • lnstaller_2024.008.20535_win64_86.exe (PID: 4000)
      • lnstaller_2024.008.20535_win64_86.exe (PID: 2000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2024:03:21 14:58:46
ZipCRC: 0xde35ba57
ZipCompressedSize: 6163957
ZipUncompressedSize: 20215710
ZipFileName: lnstaller_2024.008.20535_win64_86.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #HIJACKLOADER lnstaller_2024.008.20535_win64_86.exe #HIJACKLOADER lnstaller_2024.008.20535_win64_86.exe

Process information

PID
CMD
Path
Indicators
Parent process
2000"C:\Users\admin\Desktop\lnstaller_2024.008.20535_win64_86.exe" C:\Users\admin\Desktop\lnstaller_2024.008.20535_win64_86.exe
explorer.exe
User:
admin
Company:
Van Loo Software ™
Integrity Level:
MEDIUM
Description:
NetSurfer Browser x86
Exit code:
0
Version:
2.2.22.10
Modules
Images
c:\users\admin\desktop\lnstaller_2024.008.20535_win64_86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2340"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\lnstaller_2024.008.20535_win64_86.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4000"C:\Users\admin\Desktop\lnstaller_2024.008.20535_win64_86.exe" C:\Users\admin\Desktop\lnstaller_2024.008.20535_win64_86.exe
explorer.exe
User:
admin
Company:
Van Loo Software ™
Integrity Level:
MEDIUM
Description:
NetSurfer Browser x86
Exit code:
3221225477
Version:
2.2.22.10
Modules
Images
c:\users\admin\desktop\lnstaller_2024.008.20535_win64_86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
10 861
Read events
10 761
Write events
87
Delete events
13

Modification events

(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2340) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\lnstaller_2024.008.20535_win64_86.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
3
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1E669A964A16AE2A146999AD8E989C9E
SHA256:03E68154B1A45A076C25E421D1E1EDC27B3767EFAD599BAB3384E87F3F64C044
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2BF5920981B5F69BD3F71A392E41C7A2binary
MD5:0A5377A035AF44F8D0D682721363C1CC
SHA256:AE5F483D3CAFE2DF199A81494DA9ADB97EE2C0A8C98B67D20329CD1F77EC9E03
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:16152740513EC8A9BAD2086585AAD3F2
SHA256:F5E64337286F7A8C139BEE0BE09EC15A62495CA923F26F57C325B37F4C97DB20
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2BF5920981B5F69BD3F71A392E41C7A2der
MD5:83B65E1B8E7B0A6A1BFD198C303420D6
SHA256:76DBAC1AC7140B9CD1D66DB7D7A4E1824D15353DFEBF9015B08DC494638CDA16
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2340.8213\lnstaller_2024.008.20535_win64_86.exeexecutable
MD5:A0543AF2A8B551D1BF5B89DDEDAE4180
SHA256:9419B1E9FA5741F629F61094811A4936BEB2ACD76BBAD083EC75C7E50DE9B02B
4000lnstaller_2024.008.20535_win64_86.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\tutorials[1].htmhtml
MD5:3FA870F93335E291B6F0A992B8B3C14D
SHA256:9F118C06A1D86A80F0DBAC33F888FBCC358CEFCCCE8BF3ED46A9BEDBD7CD5347
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4000
lnstaller_2024.008.20535_win64_86.exe
GET
304
23.32.238.234:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6b387c1938973f7f
unknown
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
GET
200
184.24.77.79:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQ65t8xIkMa17r8MBjZrS1lkA%3D%3D
unknown
binary
503 b
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
1080
svchost.exe
GET
304
23.53.40.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0754c686571bd23f
unknown
compressed
67.5 Kb
unknown
1080
svchost.exe
GET
200
23.53.40.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e412f7b4eff0943
unknown
compressed
67.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4000
lnstaller_2024.008.20535_win64_86.exe
188.166.193.143:443
www.legal-tools.org
DIGITALOCEAN-ASN
DE
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
23.32.238.234:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
184.24.77.79:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
4000
lnstaller_2024.008.20535_win64_86.exe
172.217.18.3:443
www.google.ca
GOOGLE
US
whitelisted
4000
lnstaller_2024.008.20535_win64_86.exe
172.67.198.249:443
gcdnb.pbrd.co
CLOUDFLARENET
US
unknown
2000
lnstaller_2024.008.20535_win64_86.exe
188.166.193.143:443
www.legal-tools.org
DIGITALOCEAN-ASN
DE
unknown

DNS requests

Domain
IP
Reputation
www.legal-tools.org
  • 188.166.193.143
unknown
ctldl.windowsupdate.com
  • 23.32.238.234
  • 23.32.238.241
  • 23.32.238.185
  • 23.32.238.169
  • 23.32.238.179
  • 23.32.238.171
  • 23.32.238.168
  • 23.32.238.235
  • 23.32.238.240
  • 23.53.40.9
  • 23.53.40.18
  • 23.53.40.35
  • 23.53.40.43
  • 23.53.40.19
  • 23.53.40.32
  • 23.53.40.11
  • 23.53.40.83
  • 23.53.40.82
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 184.24.77.79
  • 184.24.77.65
  • 184.24.77.76
shared
www.google.ca
  • 172.217.18.3
whitelisted
gcdnb.pbrd.co
  • 172.67.198.249
  • 104.21.68.220
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lnstaller_2024.008.20535_win64_86.zip