Malware analysis apt34leak.7z Malicious activity | ANY.RUN

Add for printing

File name:	apt34leak.7z
Full analysis:	https://app.any.run/tasks/febb51eb-3058-458d-9402-7cfe8da25d35
Verdict:	Malicious activity
Analysis date:	May 07, 2019, 12:46:51
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	797B13E4E232028334D95BA03B1CC6AD
SHA1:	068214E5A04CBE454B4689C046770227F5B09C07
SHA256:	06DE1E67107FDD120F4E97732371698C2AB16640934C7E2AA41034C8EBEC2C87
SSDEEP:	393216:eePLmaHl9paUtNtZbn2jkrJmI14x+nrSRRm5nuA:e+yMlK4PZyYk4nrSRg5uA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 2564)
- Application was dropped or rewritten from another process
  - newPanel-dbg.exe (PID: 3356)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3464)
- Creates files in the user directory
  - powershell.exe (PID: 1688)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 3804)
  - powershell.exe (PID: 2432)
  - powershell.exe (PID: 584)
  - powershell.exe (PID: 1920)
  - powershell.exe (PID: 3524)
  - powershell.exe (PID: 916)
- Executes PowerShell scripts
  - WScript.exe (PID: 1908)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 2472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

572

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

—

services.exe

User:

LOCAL SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

PresentationFontCache.exe

Exit code:

Version:

3.0.6920.4902 built by: NetFXw7

Modules

Images
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

584

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -file <AGENT PATH>

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

WScript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

4294770688

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll

916

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

996

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell ISE

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1688

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1908

"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\runner_.vbs"

C:\Windows\System32\WScript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1920

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2432

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2472

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\apt34leak.7z"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2564

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

2 644

Read events

2 147

Write events

497

Delete events

Modification events


(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\apt34leak.7z
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Abu Dhabi airports.zip		compressed
		MD5:0D38306C9D22BDBFDE4490BA075DF131	SHA256:84F1F7331835ACD1FA0842501B9C1563C5B9381A0F4D0CB21E99E2415C00EDE9
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Jordan NITC - National Information Technology Center.zip		compressed
		MD5:E6594128F9658EDEDBD892CB3E3B9267	SHA256:F0B0DB92B378D3936F092B2B68F9AD82605185C5E1C6B6EA2FDE78B20929E7F1
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates Federal Competitiveness and Statistics Authority.zip		compressed
		MD5:849E23239A30C3FB9CCD26CC78276C97	SHA256:1268A6DA7CC7F45DDD80BA143002E86C87E2C45D27E9943D8A41493B3C5F39C0
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Lamprell Energy Ltd.zip		compressed
		MD5:059C7E00990385ED7F0923D89E7C8645	SHA256:D55D625111A7D6CBEEC718A7D4BE6792A432122A9AF9866E7FA29756FD319C31
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates National Oil Co (2).zip		compressed
		MD5:D4D28C4EB6D92CA453C51C7D7E143BCC	SHA256:9F7A168A4A582F7487B2745A040D3FF35BCEBD78C9802197A5D97122B9E44037
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Kuwait Amiri Diwan da.gov.kw.zip		compressed
		MD5:67099C949502839F5969134BAAD862B2	SHA256:4BBEE2990C622C8729AA2836E191DFE0AAD274CE2ECEF43C5F7F68AF7F591432
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates Policy Center.zip		compressed
		MD5:1EB5E28751E9725C0A87C1ED1E9EEFD9	SHA256:AED8E59EF052DA37829BD391D4D72998D90C85DB2BF015B1007FDE0F0680F21B
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\National Securtiy Agency of Bahrain.zip		compressed
		MD5:8702898F061CBC6ECFFF40BE8B1B7553	SHA256:01F31E92E35CBAFB1C73F7B5D009201A03873DE43A0FF76EA0D6A36A04FC4539
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Abu Dhabi Statistics Center scad.ae.zip		compressed
		MD5:EE7B1B428CD840205BD1DAAC53D4316B	SHA256:34244AEFBB98934DCE0A8A59D33BDA13C14EF73860C032D349B3094A6F9AAEB1
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates NMC National Media Company.zip		compressed
		MD5:3B3874C26FF8E388E849E5E147E76A6D	SHA256:60DDA03F6E5A1F557D3208E80C804ACF5FE43FA31143B8E04BB23416FEAC3B75

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
powershell_ise.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144

General Info

apt34leak.7z

797B13E4E232028334D95BA03B1CC6AD

068214E5A04CBE454B4689C046770227F5B09C07

06DE1E67107FDD120F4E97732371698C2AB16640934C7E2AA41034C8EBEC2C87

393216:eePLmaHl9paUtNtZbn2jkrJmI14x+nrSRRm5nuA:e+yMlK4PZyYk4nrSRg5uA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Executes PowerShell scripts

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings