analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://maryshoodies.com/hid.exe

Full analysis: https://app.any.run/tasks/83aa6268-8d8b-469a-85fc-dbd090c30276
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 08:43:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

738246BE47A7BE2D39EA9015B0A456A7

SHA1:

9817963F2EDE041C86E10E3EBDD93C7706694B48

SHA256:

8185C49462710A35A4EB573ABCDBE0EADEFCAAF792B8F19689ACF01DACBB132B

SSDEEP:

3:N1KTjKKKC/M9N:CnRKCE9N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 964)

    • Application was dropped or rewritten from another process

      • hid[1].exe (PID: 3724)
      • hid[1].exe (PID: 3440)

    • Actions looks like stealing of personal data

      • hid[1].exe (PID: 3724)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 2912)

    • Application launched itself

      • hid[1].exe (PID: 3440)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 964)

    • Application launched itself

      • iexplore.exe (PID: 2912)

    • Changes internet zones settings

      • iexplore.exe (PID: 2912)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 964)
      • iexplore.exe (PID: 2912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe hid[1].exe no specs hid[1].exe

Process information

PID
CMD
Path
Indicators
Parent process
2912"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
964"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2912 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3440"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
VistaTask
Exit code:
0
Version:
1.4.8.0
3724"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe
hid[1].exe
User:
admin
Integrity Level:
MEDIUM
Description:
VistaTask
Version:
1.4.8.0
Total events
663
Read events
611
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
11
Unknown types
6

Dropped files

PID
Process
Filename
Type
2912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2912iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF44C4C75E6E777C7B.TMP
MD5:
SHA256:
2912iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF25566A610462280.TMP
MD5:
SHA256:
2912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{593D451D-926E-11E9-B63D-5254004A04AF}.dat
MD5:
SHA256:
2912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{593D451E-926E-11E9-B63D-5254004A04AF}.datbinary
MD5:957A5FA5A1E7401276AA80FCF88F8F34
SHA256:18AC198BD7123BB47FCE68540D9A5CCF429BB3E09FE0FAD8F4C46B5F8F3F531E
964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:7A979B825C1EF3854576C323EE97FBD6
SHA256:8595041B2885B6A71D021CC637F026865E93366C4B691530544B5987DF79264D
964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AIEOCDDZ\hid[1].exeexecutable
MD5:5E12FAC2C65EA9F4B1E79611E3187EBD
SHA256:20B356B1D97FFB9F30F6B9E06C07DD06C0C424FE2D1915E887BC2EC4CB4EF56D
2912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061920190620\index.datdat
MD5:52E993D78E1AEDE2D68F2E029910B9C5
SHA256:05E904D00ECCAE4E9918E7D8463926B104590DB3BA151FE5601259F332DA3FA3
964iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:100B66817CC7B608D8ED9B85ED91EA79
SHA256:E2F99854587511C1D4508848A49F0B9F92DD5EDE4D5BB799DDECD291779532CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
964
iexplore.exe
GET
200
107.180.14.68:80
http://maryshoodies.com/hid.exe
US
executable
369 Kb
malicious
2912
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2912
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3724
hid[1].exe
160.153.16.59:587
newstylesmalta.com
GoDaddy.com, LLC
US
malicious
964
iexplore.exe
107.180.14.68:80
maryshoodies.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
maryshoodies.com
  • 107.180.14.68
malicious
newstylesmalta.com
  • 160.153.16.59
malicious

Threats

PID
Process
Class
Message
964
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
964
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3724
hid[1].exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://maryshoodies.com/hid.exe