Malware analysis apilog19pub.zip Malicious activity | ANY.RUN

Add for printing

File name:	apilog19pub.zip
Full analysis:	https://app.any.run/tasks/151433d8-7417-48cb-bad1-9fc755c2aad8
Verdict:	Malicious activity
Analysis date:	March 21, 2019, 22:58:38
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	F015075225FACC7C852251151179793C
SHA1:	6D60C264A212C74CBA064234F1A8A38812FAAC9D
SHA256:	50F45FFD70B8E74213387E75BD124C0BEE87CA8B77B3616A2C3D558239F112AB
SSDEEP:	6144:tmNj4mcp4ZynQPP1KU++nQPP1K8vq/nInDJziMA6h57Cp6JAdO+EVtrEO8NKqV:wNj4mcp7nQPP1KUHnQPP1K8vq+9mMAio

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - x32.exe (PID: 2676)
  - apilogger.exe (PID: 2480)
  - x32.exe (PID: 1276)
  - x32.exe (PID: 2016)
  - x32.exe (PID: 2348)
  - x32.exe (PID: 3780)
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 3604)
  - x32.exe (PID: 2676)
  - WerFault.exe (PID: 3580)
  - WerFault.exe (PID: 3016)
  - x32.exe (PID: 1276)
  - x32.exe (PID: 2348)
  - WerFault.exe (PID: 2780)
  - x32.exe (PID: 3780)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1928)
- Uses RUNDLL32.EXE to load library
  - control.exe (PID: 3336)
  - control.exe (PID: 2848)
INFO
- Application was crashed
  - x32.exe (PID: 2676)
  - x32.exe (PID: 1276)
  - x32.exe (PID: 2348)
  - x32.exe (PID: 3780)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	test.exe
ZipUncompressedSize:	1536
ZipCompressedSize:	444
ZipCRC:	0xb6c7bb40
ZipModifyDate:	2004:12:09 18:57:09
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1928	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\apilog19pub.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3604	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255)
2480	"C:\Users\admin\Desktop\apilog19pub\apilogger.exe"	C:\Users\admin\Desktop\apilog19pub\apilogger.exe	—	explorer.exe
User: admin Company: http://blackninja2000.narod.ru Integrity Level: MEDIUM Description: API Logger Injector Exit code: 0 Version: 1, 9, 0, 0
2676	C:\Users\admin\Desktop\apilog19pub\x32.exe	C:\Users\admin\Desktop\apilog19pub\x32.exe		apilogger.exe
User: admin Integrity Level: MEDIUM Exit code: 3221225477
3580	C:\Windows\system32\WerFault.exe -u -p 2676 -s 68	C:\Windows\system32\WerFault.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1276	C:\Users\admin\Desktop\apilog19pub\x32.exe	C:\Users\admin\Desktop\apilog19pub\x32.exe		apilogger.exe
User: admin Integrity Level: MEDIUM Exit code: 3221225477
3016	C:\Windows\system32\WerFault.exe -u -p 1276 -s 68	C:\Windows\system32\WerFault.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2016	"C:\Users\admin\Desktop\apilog19pub\x32.exe"	C:\Users\admin\Desktop\apilog19pub\x32.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM
4088	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\apilog19pub\db.txt	C:\Windows\system32\NOTEPAD.EXE	—	apilogger.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1272	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\apilog19pub\x32.exe.apilog.txt	C:\Windows\system32\NOTEPAD.EXE	—	apilogger.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 516

Read events

1 432

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\pluginsdk\DirectX_Logger\dxplugdb.txt		text
		MD5:F7728DFBA2967D32FC184FDB58821AA5	SHA256:1B7667A8C302112CC7027834E6C2AFBC55D712C422874B34FE457788A114D28F
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\intruder.cpp		text
		MD5:57DF8108DC29CAFBEF52D4FE85B3CC77	SHA256:22400359A438BB43885980B508DF2A753C5EB515C1356412F5940CE9086564C1
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\stdafx.cpp		text
		MD5:C333A5C71323A6CEC0B4E219736DC390	SHA256:818DFEBF087F5816A4A1BB4BC37C82334471687BF6BC703BC7740A3FD9FD03D0
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\test.exe		executable
		MD5:7087C67F33EF721B473953FB4B503CF4	SHA256:F128D1CFC980776558E4FE1FECBDFE6D3A837D3F0D041BF2B8C905BE9793EC78
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\intruder.sln		text
		MD5:33C557A7C524FA7B78A0E145355BFE97	SHA256:BF7D2D48B6985B4981DD48A853596E999D021AB13C2DFDE0F3E45784A17275F6
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\intruder.h		text
		MD5:6B047558F5C41AD604066820A86CF508	SHA256:A4F6A4E5870B756DC48D99F95E94E1BA658B5432920BEB3AD3787009CF69C745
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\readme.txt		text
		MD5:87300A5C19E4AA73BA7ACFB6E72C72F8	SHA256:365B8559F643AD92392930F6AECEB7DE6EDC83E07134406094C3DAA7B855F44B
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\intruder.vcproj		xml
		MD5:1BD27EBD4514EBD47E9C04E87E3F42C7	SHA256:023AC8BFB6D3149EA5AB325F0ABE39DC05C1F219DB3FA61020BB0A4F28239EA2
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\pluginsdk\dxlogplug\dxlogger.h		text
		MD5:72DC8CBE9D5B8DCD7813C9017FC0B3D3	SHA256:315797ADB1F2DB5E7B5108E103D9EA2389BF246235B4F1913B5C7895C43EFE58
1928	WinRAR.exe	C:\Users\admin\Desktop\apilog19pub\dxwrapper\src\intruder.rc		text
		MD5:049F5C4F76B38FB429E61558EB31E0DE	SHA256:CAAE4855268E1C9E820946471EF630DEE795B254B931280BB8F9FC60C50DBE0E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

apilog19pub.zip

F015075225FACC7C852251151179793C

6D60C264A212C74CBA064234F1A8A38812FAAC9D

50F45FFD70B8E74213387E75BD124C0BEE87CA8B77B3616A2C3D558239F112AB

6144:tmNj4mcp4ZynQPP1KU++nQPP1K8vq/nInDJziMA6h57Cp6JAdO+EVtrEO8NKqV:wNj4mcp7nQPP1KUHnQPP1K8vq+9mMAio

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to load library

INFO

Application was crashed

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings