File name:

QZ0v2ewmKaedzl8KiMkdDs (1).zip

Full analysis: https://app.any.run/tasks/b13dbd57-5841-4e67-ade5-1483fbcc0d97
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: May 09, 2024, 17:16:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

26AC27C6796A693480708AA9FC56161A

SHA1:

2540BC8D0C56BFF0A1ED251FC068618417F8602C

SHA256:

F93CB6BDECA1014FA2F52A732AADAC1EAAF4C46A0A6F6BE6E211237EA8C3F23C

SSDEEP:

98304:BcwJ/25mpSfOmW/paKtADCqVRPPqx5x7kfb5InhTOkBbBroxhbLMIKXRCFWBAzN+:4E4nYJLa9mRI9Bw4M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • SetupEngine_win64_x86.exe (PID: 1072)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3980)

    • Reads settings of System Certificates

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)

    • Checks supported languages

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • NirSoft software is detected

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • Reads the computer name

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)

    • Manual execution by a user

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • Reads the machine GUID from the registry

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • Create files in a temporary directory

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)

    • Reads the software policy settings

      • SetupEngine_win64_x86.exe (PID: 1292)
      • SetupEngine_win64_x86.exe (PID: 1640)
      • SetupEngine_win64_x86.exe (PID: 1072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2024:05:07 13:53:30
ZipCRC: 0xc304bc51
ZipCompressedSize: 643
ZipUncompressedSize: 2614
ZipFileName: manifest.json
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setupengine_win64_x86.exe setupengine_win64_x86.exe #HIJACKLOADER setupengine_win64_x86.exe

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe" C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe
explorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
ShellBagsView
Version:
1.35
Modules
Images
c:\users\admin\desktop\check\setupengine_win64_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1292"C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe" C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe
explorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
ShellBagsView
Exit code:
3221225477
Version:
1.35
Modules
Images
c:\users\admin\desktop\check\setupengine_win64_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1640"C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe" C:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe
explorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
ShellBagsView
Exit code:
3221225477
Version:
1.35
Modules
Images
c:\users\admin\desktop\check\setupengine_win64_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3980"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\QZ0v2ewmKaedzl8KiMkdDs (1).zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
12 830
Read events
12 764
Write events
66
Delete events
0

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\QZ0v2ewmKaedzl8KiMkdDs (1).zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980WinRAR.exeC:\Users\admin\Desktop\check\metadata.jsonbinary
MD5:F650C8A66B90E524B7CF4357DFD05198
SHA256:47B46E3C34E5497B1C37BA94CE4D8A0250259DA80BAE2E6CE0D72FB4CDC82FCE
3980WinRAR.exeC:\Users\admin\Desktop\check\script.xmlxml
MD5:4EB7ECD90C96B27C57309FDD9B39E72A
SHA256:F5C3B7E1AA1D8A2D2F8A9D49566EE38E1163F50A0C4D0BDD0E31EDBBF55B7741
3980WinRAR.exeC:\Users\admin\Desktop\check\file-acquisition-raw-issues.WSi7eJyM7R2iVDCuR1u4SP.xmlxml
MD5:DF7972AC26DF2CAA28114773E2966304
SHA256:BD4E548388E1D08E6F27B1B8AE90E5C1DED51655DB21E987A6141720CDDCC41C
3980WinRAR.exeC:\Users\admin\Desktop\check\sysinfo.fBnUSlnqES7c8ZoSbS52PW.xmlxml
MD5:01ED99ECBC0D4C38678536CDEC0F4843
SHA256:B7FD9257815C99897304F21A1F514855A4DB9066D78A0615AACCE80322155027
3980WinRAR.exeC:\Users\admin\Desktop\check\manifest.jsonbinary
MD5:267E00FA9226DB967E8C232B3DE20541
SHA256:E0D906722DCA476A29F43D19E4CD638E7BBBCD92967DF2AEF23ED1311C60BDE2
3980WinRAR.exeC:\Users\admin\Desktop\check\files-raw.saUZFafX4wa0gGERlxi81x.xmlxml
MD5:239C5EA092753AF10BEFC975DBECDDF1
SHA256:321639CB45CA7394268BF9B33F6CAB54CE7975641513076EA6B2EB333610EE05
3980WinRAR.exeC:\Users\admin\Desktop\check\SetupEngine_win64_x86.exe_executable
MD5:69C0463EABB6ABA1611F63426CE130DC
SHA256:26AB475B773AC1430B9A2F8433CC143053395487D9BB3D880A15BCAE8BB72409
1640SetupEngine_win64_x86.exeC:\Users\admin\AppData\Local\Temp\fcbc970dimage
MD5:7E7772B9082398986ECF26FCF617E86F
SHA256:3395CB1ADE8B873060359709D8700008306C7961A5FBD9B1060472044263602D
1292SetupEngine_win64_x86.exeC:\Users\admin\AppData\Local\Temp\f521642bimage
MD5:7E7772B9082398986ECF26FCF617E86F
SHA256:3395CB1ADE8B873060359709D8700008306C7961A5FBD9B1060472044263602D
1072SetupEngine_win64_x86.exeC:\Users\admin\AppData\Local\Temp\ffe16284image
MD5:7E7772B9082398986ECF26FCF617E86F
SHA256:3395CB1ADE8B873060359709D8700008306C7961A5FBD9B1060472044263602D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1292
SetupEngine_win64_x86.exe
188.114.97.3:443
download.jesaqiu5.online
CLOUDFLARENET
NL
unknown
1640
SetupEngine_win64_x86.exe
188.114.97.3:443
download.jesaqiu5.online
CLOUDFLARENET
NL
unknown
1072
SetupEngine_win64_x86.exe
188.114.97.3:443
download.jesaqiu5.online
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
download.jesaqiu5.online
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
QZ0v2ewmKaedzl8KiMkdDs (1).zip