File name:	Mari.exe.v
Full analysis:	https://app.any.run/tasks/68d4aa63-d04b-48db-85ec-d4d29744ed8b
Verdict:	Malicious activity
Analysis date:	August 31, 2024, 17:16:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx websocket
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	DD3D5384657CD3890F8816B0A4B2F7D9
SHA1:	05A9047391140F9CEF70860F38137827D9FD63D1
SHA256:	118E7E258E4D9ADBC45ADDBE4E832933DCD8F728A398D3D8480E009EA11D4B95
SSDEEP:	98304:BUdB0OgQlKNKxxu7FXlgnPz/WcEJg28DFnZ1qo0bWxVo1tF+vm0+R99CqF59RCkt:od

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:08:29 14:59:49+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	2002432
InitializedDataSize:	2785792
UninitializedDataSize:	-
EntryPoint:	0x1b8fd8
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode


(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(3728) Mari.exe.v.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(2056) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	ConsentPromptBehaviorAdmin
Value: 0
(PID) Process:	(236) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(7108) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	PromptOnSecureDesktop
Value: 0
(PID) Process:	(2264) ShellExperienceHost.exe	Key:	\REGISTRY\A\{cdc231bb-663a-6536-6dc4-52d67b64887f}\LocalState
Operation:	write	Name:	PeekBadges
Value: 5B005D000000E6170AA0C9FBDA01

PID	Process	Filename		Type
3728	Mari.exe.v.exe	C:\Users\admin\AppData\Roaming\V49TG.bat		text
		MD5:30D6EB22D6AEEC10347239B17B023BF4	SHA256:659DF6B190A0B92FC34E3A4457B4A8D11A26A4CAF55DE64DFE79EB1276181F08
3728	Mari.exe.v.exe	C:\Users\Public\Documents\G0g6D\crP9L~i\p		executable
		MD5:35BE128BD588225161C645A210E4F0E2	SHA256:EA4795AFBDFE57E69E180A76C141055C1E5620C0B28D53448362E540C721F721
4996	cmd.exe	C:\Users\Public\Documents\G0g6D\crP9L~i\uc_guilib.dll		executable
		MD5:5730626B6EB0DDAEAF62989207C47F92	SHA256:CF967D3E57770AABCB718D723D3625A1A3ADC9F5291E5C668CF8DB4E35110B3C
6824	uc_ctrl.exe	C:\Users\admin\Videos\B55AED17~i\NH.TXT		binary
		MD5:4CD521A33C5F5086BB684174E76979B9	SHA256:3F00C8140ED52EA66B0E0F645A4680752324381C4959472B7D61830AB035D59D
3728	Mari.exe.v.exe	C:\Users\Public\Documents\G0g6D\crP9L~i\w		binary
		MD5:F7EA5667EC13663B2C82808E553D862C	SHA256:CC1C96CA2F1F329D79D09E3E7F0BA29CCF6A80567ED58435AB4696371A12E694
6824	uc_ctrl.exe	C:\Users\admin\Videos\B55AED17~i\msvcp140.dll		executable
		MD5:1D8C79F293CA86E8857149FB4EFE4452	SHA256:C09B126E7D4C1E6EFB3FFCDA2358252CE37383572C78E56CA97497A7F7C793E4
6824	uc_ctrl.exe	C:\Users\admin\Videos\B55AED17~i\uc_guilib.dll		executable
		MD5:5730626B6EB0DDAEAF62989207C47F92	SHA256:CF967D3E57770AABCB718D723D3625A1A3ADC9F5291E5C668CF8DB4E35110B3C
6824	uc_ctrl.exe	C:\Users\admin\Videos\B55AED17~i\vcruntime140.dll		executable
		MD5:B77EEAEAF5F8493189B89852F3A7A712	SHA256:B7C13F8519340257BA6AE3129AFCE961F137E394DDE3E4E41971B9F912355F5E
3728	Mari.exe.v.exe	C:\Users\Public\Documents\G0g6D\crP9L~i\NH.TXT		binary
		MD5:4CD521A33C5F5086BB684174E76979B9	SHA256:3F00C8140ED52EA66B0E0F645A4680752324381C4959472B7D61830AB035D59D
3728	Mari.exe.v.exe	C:\Users\Public\Documents\G0g6D\crP9L~i\msvcp140.dll		executable
		MD5:1D8C79F293CA86E8857149FB4EFE4452	SHA256:C09B126E7D4C1E6EFB3FFCDA2358252CE37383572C78E56CA97497A7F7C793E4

PID	Process	IP	Domain	ASN	CN	Reputation
6516	svchost.exe	20.49.150.241:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
6412	RUXIMICS.exe	20.49.150.241:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
2120	MoUsoCoreWorker.exe	20.49.150.241:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
2120	MoUsoCoreWorker.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6516	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4324	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6824	uc_ctrl.exe	143.92.57.75:15628	—	BGPNET Global ASN	HK	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.49.150.241 52.167.249.196 51.124.78.146	whitelisted
google.com	142.250.185.110	whitelisted

PID	Process	Class	Message
6824	uc_ctrl.exe	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
6824	uc_ctrl.exe	Generic Protocol Command Decode	SURICATA HTTP Request line incomplete

General Info

Mari.exe.v

DD3D5384657CD3890F8816B0A4B2F7D9

05A9047391140F9CEF70860F38137827D9FD63D1

118E7E258E4D9ADBC45ADDBE4E832933DCD8F728A398D3D8480E009EA11D4B95

98304:BUdB0OgQlKNKxxu7FXlgnPz/WcEJg28DFnZ1qo0bWxVo1tF+vm0+R99CqF59RCkt:od

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

UAC/LUA settings modification

SUSPICIOUS

Reads security settings of Internet Explorer

Process uses IPCONFIG to discover network configuration

Mutex name with non-standard characters

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Executing commands from a ".bat" file

Uses REG/REGEDIT.EXE to modify registry

Drops the executable file immediately after the start

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Likely accesses (executes) a file from the Public directory

There is functionality for taking screenshot (YARA)

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

The process uses the downloaded file

Creates files or folders in the user directory

Process checks computer location settings

Reads security settings of Internet Explorer

UPX packer has been detected

Reads CPU info

Creates files in the program directory

Attempting to connect via WebSocket

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings