Malware analysis apt34leak.7z Malicious activity | ANY.RUN

Add for printing

File name:	apt34leak.7z
Full analysis:	https://app.any.run/tasks/febb51eb-3058-458d-9402-7cfe8da25d35
Verdict:	Malicious activity
Analysis date:	May 07, 2019, 12:46:51
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	797B13E4E232028334D95BA03B1CC6AD
SHA1:	068214E5A04CBE454B4689C046770227F5B09C07
SHA256:	06DE1E67107FDD120F4E97732371698C2AB16640934C7E2AA41034C8EBEC2C87
SSDEEP:	393216:eePLmaHl9paUtNtZbn2jkrJmI14x+nrSRRm5nuA:e+yMlK4PZyYk4nrSRg5uA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 2564)
- Application was dropped or rewritten from another process
  - newPanel-dbg.exe (PID: 3356)
SUSPICIOUS
- Creates files in the user directory
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 3804)
  - powershell.exe (PID: 584)
  - powershell.exe (PID: 3524)
  - powershell.exe (PID: 916)
  - powershell.exe (PID: 2432)
  - powershell.exe (PID: 1688)
  - powershell.exe (PID: 1920)
- Executes PowerShell scripts
  - WScript.exe (PID: 1908)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3464)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 2472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

572

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

—

services.exe

User:

LOCAL SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

PresentationFontCache.exe

Exit code:

Version:

3.0.6920.4902 built by: NetFXw7

Modules

Images
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

584

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -file <AGENT PATH>

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

WScript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

4294770688

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll

916

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

996

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell ISE

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1688

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1908

"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\runner_.vbs"

C:\Windows\System32\WScript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1920

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2432

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\apt34leak\Glimpse\Agent\dns.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2472

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\apt34leak.7z"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2564

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

2 644

Read events

2 147

Write events

497

Delete events

Modification events


(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\apt34leak.7z
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2472) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Abu Dhabi airports.zip		compressed
		MD5:0D38306C9D22BDBFDE4490BA075DF131	SHA256:84F1F7331835ACD1FA0842501B9C1563C5B9381A0F4D0CB21E99E2415C00EDE9
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Etithad Airways.zip		compressed
		MD5:CC9036A199DCD7E19971CBE3C16A70C5	SHA256:CDB0F9AB1CC6C30F7384932A374961E26873D1788861D6B2078735340CC3C3D3
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Dubai Media Inc.zip		compressed
		MD5:E0F8F22F247D90214639B396523B347E	SHA256:8F396DFBFF1F2E18E20978850A08751735737076D08A84784347B21723DA5EE1
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates Prime Minister Office.zip		compressed
		MD5:66C151F826B314C57EFC6C9B80EEA694	SHA256:FF213815AC307DE05E374A8D645384F2A1C676B6AED2F1ED7AC3E2CC90F79897
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Jordan NITC - National Information Technology Center.zip		compressed
		MD5:E6594128F9658EDEDBD892CB3E3B9267	SHA256:F0B0DB92B378D3936F092B2B68F9AD82605185C5E1C6B6EA2FDE78B20929E7F1
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Glimpse.zip		compressed
		MD5:47A7C027098BA12103E4A37F3BE72C62	SHA256:E91F9A2CB643E3556B7122C6D4EBC77888C93C814D456B65E17DE0C9766F9C55
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Jordan Software solutions company primus.com.jo.zip		compressed
		MD5:E5A33FC317D21A6C788EE4689F180902	SHA256:508207B96143F95A2C07E6ABB3BEE04F4B39D8394DC75DADC015C7CE8C9D5640
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Nigerian building and road research institute.zip		compressed
		MD5:13FB0522FCC9BB5B17FD1F3DA4823175	SHA256:F707E545B2350F4071E36E49747BB36D6B6552F8954911CE50ED60E47F926C34
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates NMC National Media Company.zip		compressed
		MD5:3B3874C26FF8E388E849E5E147E76A6D	SHA256:60DDA03F6E5A1F557D3208E80C804ACF5FE43FA31143B8E04BB23416FEAC3B75
2472	WinRAR.exe	C:\Users\admin\Desktop\apt34leak\Emirates Policy Center.zip		compressed
		MD5:1EB5E28751E9725C0A87C1ED1E9EEFD9	SHA256:AED8E59EF052DA37829BD391D4D72998D90C85DB2BF015B1007FDE0F0680F21B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
powershell_ise.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell_ise.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144

General Info

apt34leak.7z

797B13E4E232028334D95BA03B1CC6AD

068214E5A04CBE454B4689C046770227F5B09C07

06DE1E67107FDD120F4E97732371698C2AB16640934C7E2AA41034C8EBEC2C87

393216:eePLmaHl9paUtNtZbn2jkrJmI14x+nrSRRm5nuA:e+yMlK4PZyYk4nrSRg5uA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Creates files in the user directory

Executes PowerShell scripts

Executable content was dropped or overwritten

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings