analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php

Full analysis: https://app.any.run/tasks/b19045b8-76c3-4bb0-b144-bef23641de9a
Verdict: Malicious activity
Threats:

Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 15:30:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
ransomware
maze
Indicators:
MD5:

00687731AC25ED56C3E5FD86BDBE82C9

SHA1:

64352667125CAAEC965123137C3676C35034E2F2

SHA256:

5510D6366146E1825FF07378FECD56E9DC4BAD8977DEE7F203CA054E51380DA3

SSDEEP:

3:N1KdIqGvOlAQrF6FPsTGJ9MV:CKqGvOlAkFmaEU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 963451.dat (PID: 3544)

    • Writes to a start menu file

      • 963451.dat (PID: 3544)

    • Deletes shadow copies

      • 963451.dat (PID: 3544)

    • MAZE was detected

      • 963451.dat (PID: 3544)

    • Renames files like Ransomware

      • 963451.dat (PID: 3544)

    • Writes file to Word startup folder

      • 963451.dat (PID: 3544)

    • Actions looks like stealing of personal data

      • 963451.dat (PID: 3544)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 1944)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • WScript.exe (PID: 1944)

    • Executes scripts

      • WinRAR.exe (PID: 2820)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1944)

    • Creates files in the user directory

      • WScript.exe (PID: 1944)
      • 963451.dat (PID: 3544)

    • Creates files like Ransomware instruction

      • 963451.dat (PID: 3544)

    • Creates files in the program directory

      • 963451.dat (PID: 3544)

    • Reads the cookies of Mozilla Firefox

      • 963451.dat (PID: 3544)

    • Connects to server without host name

      • 963451.dat (PID: 3544)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2128)

    • Changes internet zones settings

      • iexplore.exe (PID: 2128)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2128)
      • iexplore.exe (PID: 3380)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 2128)

    • Creates files in the user directory

      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 2128)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3380)

    • Dropped object may contain TOR URL's

      • 963451.dat (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe #MAZE 963451.dat wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Program Files\Internet Explorer\iexplore.exe" "http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3380"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\885C78ZB\23018[1].zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1944"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2820.27434\Camera_595934025.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3544C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\963451.datC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\963451.dat
WScript.exe
User:
admin
Integrity Level:
MEDIUM
792"C:\jr\..\Windows\d\..\system32\cca\pcce\..\..\wbem\woply\iruhn\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe963451.dat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
896"C:\bs\..\Windows\uakxr\ec\qbyvd\..\..\..\system32\msij\xilox\o\..\..\..\wbem\r\usru\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe963451.dat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 581
Read events
1 376
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
333
Text files
279
Unknown types
13

Dropped files

PID
Process
Filename
Type
2128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\select[1].php
MD5:
SHA256:
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QZJR0YN6\Default[1].txt
MD5:
SHA256:
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:EBA8A8BA119D1F46A617F069512EBDDB
SHA256:231E186E9B43C6B02F8EF70EDD8E3F4F06B532B1DBE48D12578E5BD4C3A9C1D6
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QZJR0YN6\Default[1].htmhtml
MD5:B50F1D99B40FB5FC5037F45D5EC56B0D
SHA256:F58CA13524C834312EBBB2B5506F6BA7B63C1C212C1B8A52580ADECCA2525D8D
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\style[1].csstext
MD5:818611D28959E79F9A9BA5C1061D84DA
SHA256:19BE5EAD117FB7D9B077526AFE8C32973326B45C2D551B679F420E1F1C92A43D
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2G2IZTL2\modernizr.custom[1].jshtml
MD5:FB210E16D7744126F7922387897DD495
SHA256:CCD5DD62F81C022544BEC23E481204BF2085918F7A3D3A74FE62D62939FDBFE0
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\select[1].htmhtml
MD5:F7B9C0D7952D8A329C501E75B664A736
SHA256:FDE8627695AF58AB589C1CD4397BC7C789FD5FE957CCCEF86067BF2E2C9C631E
3380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:E3171C880B02FF82223BBD414F2BE69D
SHA256:AFABF10ADE7316701586D58E66FA4975B78049391DBE79D0AD8DB48238D7F73B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
57
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3380
iexplore.exe
GET
302
52.116.231.90:80
http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php
US
unknown
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php?module=captcha
US
malicious
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/the_parking_pro.png
US
malicious
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/logo.png
US
malicious
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/bg.png
US
malicious
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/top_bg.png
US
malicious
3380
iexplore.exe
GET
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/Photographic_banner.jpg
US
malicious
3380
iexplore.exe
GET
200
147.139.137.244:80
http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php
US
html
1.92 Kb
malicious
3380
iexplore.exe
GET
200
147.139.137.244:80
http://b09v.ukparkingctrl.com/70/assets/jquery-1.js
US
text
32.6 Kb
malicious
3380
iexplore.exe
POST
147.139.137.244:80
http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2128
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3380
iexplore.exe
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3380
iexplore.exe
52.116.231.90:80
cmokc.com
US
unknown
3380
iexplore.exe
51.145.119.85:443
www.ukpcappeals.co.uk
Microsoft Corporation
GB
unknown
3380
iexplore.exe
147.139.137.244:80
b09v.ukparkingctrl.com
US
malicious
51.145.119.85:443
www.ukpcappeals.co.uk
Microsoft Corporation
GB
unknown
2128
iexplore.exe
51.145.119.85:443
www.ukpcappeals.co.uk
Microsoft Corporation
GB
unknown
2128
iexplore.exe
147.139.137.244:80
b09v.ukparkingctrl.com
US
malicious
3544
963451.dat
91.218.114.25:80
Mir Telematiki Ltd
RU
malicious
3544
963451.dat
91.218.114.31:80
Mir Telematiki Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
cmokc.com
  • 52.116.231.90
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
b09v.ukparkingctrl.com
  • 147.139.137.244
malicious
www.ukpcappeals.co.uk
  • 51.145.119.85
unknown
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
www.highlevelsuccess.monster
  • 111.90.156.64
malicious

Threats

PID
Process
Class
Message
3380
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
1944
WScript.exe
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
1944
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1944
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3544
963451.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
3544
963451.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
3544
963451.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
3544
963451.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
3544
963451.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php