analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn-150.anonfiles.com/88U7t2i8z7/818c31da-1680369712/maria.exe

Full analysis: https://app.any.run/tasks/93e48704-04ac-4e8c-be5a-0365005fd9d2
Verdict: Malicious activity
Analysis date: April 01, 2023, 17:12:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2F9FC81D5CB8708D1F608F5A31162C36

SHA1:

B9CAB5DA9CD1D364CC6A28FE9C6DD01DFED739BE

SHA256:

18303588A71CC0A4E457C60ABD9CE687B3C3830AAA55F4D48529E89EDD9932C3

SSDEEP:

3:N8cFQrQ2AuDOUBC60XqFkAn:2cFQE2Au5Clqb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • maria.exe (PID: 2792)

    • Create files in the Startup directory

      • maria.exe (PID: 2792)

    • Changes the autorun value in the registry

      • maria.exe (PID: 2792)

    • Starts CMD.EXE for self-deleting

      • maria.exe (PID: 2792)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • maria.exe (PID: 2792)

    • Starts CMD.EXE for commands execution

      • maria.exe (PID: 2792)

  • INFO

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3196)
      • iexplore.exe (PID: 2884)

    • Application launched itself

      • iexplore.exe (PID: 2884)

    • Create files in a temporary directory

      • iexplore.exe (PID: 3196)
      • iexplore.exe (PID: 2884)
      • maria.exe (PID: 2792)

    • Reads the computer name

      • maria.exe (PID: 2792)

    • Checks supported languages

      • maria.exe (PID: 2792)

    • Creates files or folders in the user directory

      • maria.exe (PID: 2792)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2884)
      • maria.exe (PID: 2792)

    • The process checks LSA protection

      • maria.exe (PID: 2792)

    • Reads the machine GUID from the registry

      • maria.exe (PID: 2792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe maria.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn-150.anonfiles.com/88U7t2i8z7/818c31da-1680369712/maria.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3196"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2884 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcrt.dll
2792"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\maria.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\maria.exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\maria.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
2532cmd.exe /c ping 0 -n 2 & del "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\maria.exe"C:\Windows\System32\cmd.exemaria.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3180ping 0 -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
36 142
Read events
35 990
Write events
150
Delete events
2

Modification events

(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2884) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
8
Suspicious files
18
Text files
12
Unknown types
8

Dropped files

PID
Process
Filename
Type
3196iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\maria.exe.ekxtf7q.partialexecutable
MD5:DF7936E502D9E8B55C56DF166E51C48D
SHA256:DCBD9B8ED3F44B30DC797A871915732401DA66987E4B5C7E010CEB89D137C278
3196iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\maria[1].exeexecutable
MD5:15E190D2D0E54A494EF32FD218EA3FF1
SHA256:9F942AD9E4A30EE2592745701EA6EBACB831506C0C07E80671D4602411D5B1C4
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\maria.exeexecutable
MD5:DF7936E502D9E8B55C56DF166E51C48D
SHA256:DCBD9B8ED3F44B30DC797A871915732401DA66987E4B5C7E010CEB89D137C278
3196iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9364608FD0F8CC25217EE49FA9175192
SHA256:3D228826F79AF9FE641632A26C479CAD9C704CEE4B5FF7B25378945BF7A1D098
3196iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:462B9577F593705E9180ACCF5F7BC409
SHA256:77FA5A2082059201EA30D7ACC03D65EFDE05BAB5E482E434A29489087C100290
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{60A9550B-D0B0-11ED-94DF-12A9866C77DE}.datbinary
MD5:6A21A8B77616B2F612052D6DDB3FF8C5
SHA256:B1C4ED2D46EDD7615AA39FF2904846FC98DA95EDA42869996D4471D3B4C1C5F1
3196iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:7DA40646E9D5E16B4C3017DF214179C5
SHA256:B757B76BB8B66F6044952ACA14391B2B6F0BA3FBFF04269D057C993FBDCF8869
3196iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:EC8FF3B1DED0246437B1472C69DD1811
SHA256:E634C2D1ED20E0638C95597ADF4C9D392EBAB932D3353F18AF1E4421F4BB9CAB
2884iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFFF27224E66E04045.TMPgmc
MD5:370FD399951D3D3356FAE06B9E17786E
SHA256:A610D55A45C9C109FBACE955C4E9031A70492249B84EA741F994B7414AB175C5
3196iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarFC34.tmpcat
MD5:BE2BEC6E8C5653136D3E72FE53C98AA3
SHA256:1919AAB2A820642490169BDC4E88BD1189E22F83E7498BF8EBDFB62EC7D843FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
iexplore.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
3196
iexplore.exe
GET
200
23.37.41.57:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3196
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?884ff7ffd71a194f
US
compressed
61.1 Kb
whitelisted
3196
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76ce3b6368335e5d
US
compressed
4.70 Kb
whitelisted
3196
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?94000ae1bd6474a5
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
iexplore.exe
23.37.41.57:80
x1.c.lencr.org
AKAMAI-AS
DE
suspicious
2884
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3196
iexplore.exe
195.96.151.43:443
Svea Hosting AB
SE
suspicious
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
3196
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 23.37.41.57
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cdn-150.anonfiles.com/88U7t2i8z7/818c31da-1680369712/maria.exe