Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 13:47
Static task
static1
Behavioral task
behavioral1
Sample
mal.exe
Resource
win7-20220812-en
General
-
Target
mal.exe
-
Size
489KB
-
MD5
586a9c5e9e255f1153e3b8af5cc8daa7
-
SHA1
459cf021625581474a464271d98cd065c1bd4f17
-
SHA256
41b8e7e2d6b226268c3e95dc9ec3f897b60d3bc89daeb743eb585568ff034454
-
SHA512
ab0facd667688022d251dca8c1bfb43ddfad7b53609335dec6065e690a57ba4014d2198c56ce3f23b1c24b56c18ed1b58a1d02395bab5f97883e48f7913758c6
-
SSDEEP
3072:6VkgE+24QtMsYDJ0tqI6tQfX3C0slMpSHHYHbcuqXJIjG9kJjN2yDXuWdCPBnT9B:6VkA2x6tiXUMpGuwIq6tEyDeWWnJF
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 2 IoCs
Processes:
conhost.execonhost.exepid process 4172 conhost.exe 3692 conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exemal.exedescription pid process target process PID 4172 set thread context of 3692 4172 conhost.exe conhost.exe PID 920 set thread context of 2184 920 mal.exe mal.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
mal.execonhost.exemal.exemal.exedescription pid process target process PID 2268 wrote to memory of 4172 2268 mal.exe conhost.exe PID 2268 wrote to memory of 4172 2268 mal.exe conhost.exe PID 2268 wrote to memory of 4172 2268 mal.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 2268 wrote to memory of 3744 2268 mal.exe mal.exe PID 2268 wrote to memory of 3744 2268 mal.exe mal.exe PID 2268 wrote to memory of 3744 2268 mal.exe mal.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 4172 wrote to memory of 3692 4172 conhost.exe conhost.exe PID 3744 wrote to memory of 920 3744 mal.exe mal.exe PID 3744 wrote to memory of 920 3744 mal.exe mal.exe PID 3744 wrote to memory of 920 3744 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe PID 920 wrote to memory of 2184 920 mal.exe mal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
memory/920-142-0x0000000000A5B000-0x0000000000A6E000-memory.dmpFilesize
76KB
-
memory/920-141-0x0000000000000000-mapping.dmp
-
memory/2184-148-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2184-146-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2184-144-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2184-143-0x0000000000000000-mapping.dmp
-
memory/2268-134-0x0000000001408000-0x000000000141B000-memory.dmpFilesize
76KB
-
memory/3692-137-0x0000000000000000-mapping.dmp
-
memory/3692-138-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3692-147-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3744-136-0x0000000000000000-mapping.dmp
-
memory/3744-140-0x000000000092B000-0x000000000093E000-memory.dmpFilesize
76KB
-
memory/4172-132-0x0000000000000000-mapping.dmp