Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2023 06:29
Static task
static1
Behavioral task
behavioral1
Sample
Mars Stealer 8 cracked.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Mars Stealer 8 cracked.exe
Resource
win10v2004-20230220-en
General
-
Target
Mars Stealer 8 cracked.exe
-
Size
9.7MB
-
MD5
2add5cd2d251750b6edbbcf9c618e2bd
-
SHA1
a167e4ef8c03e1c6b66fe75a9a61735eafd70cd8
-
SHA256
62a60f11e2c96019ad01d1cbae35dc3b71a1bdac7bfd0a0f207d69487e11374c
-
SHA512
ad7d5351de1698a6b60c0eeed13050dbefac2582300a9e4caf692d75b9507e15b2082d562d51df8ea0d79a0150b8de4464b2c92ea33386090dc9865e93133ca8
-
SSDEEP
196608:J2eeOCr4PpZVzx60Iwx2BbjDRog9AkczZtwc7V4IuSal:J2eZW4PpZVUy2p1z9Ar3wTIuSal
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Mars Stealer 8 cracked.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Mars Stealer 8 cracked.exe -
Drops startup file 2 IoCs
Processes:
crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe -
Executes dropped EXE 1 IoCs
Processes:
crack.exepid process 3096 crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
crack.exepid process 3096 crack.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Mars Stealer 8 cracked.exepid process 1664 Mars Stealer 8 cracked.exe 1664 Mars Stealer 8 cracked.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Mars Stealer 8 cracked.exedescription pid process target process PID 1664 wrote to memory of 3096 1664 Mars Stealer 8 cracked.exe crack.exe PID 1664 wrote to memory of 3096 1664 Mars Stealer 8 cracked.exe crack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\crack.exe"C:\Users\Admin\AppData\Local\Temp\crack.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\re.pngFilesize
545B
MD5c1cf1874c3305e5663547a48f6ad2d8c
SHA10f67f12d76a0543772a3259a3b38935381349e01
SHA25679a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842
SHA512c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843
-
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\sj.pngFilesize
512B
MD5559ce5baaee373db8da150a5066c1062
SHA1ee80e5f63c986d04f46bff10f639113c88107ced
SHA256f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c
SHA512c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5a0a22ba1e62b67b91905665b86df33b3
SHA130f03b81aa46284e26ffb7de1f17ab4203c7fff6
SHA256e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94
SHA51239c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5a0a22ba1e62b67b91905665b86df33b3
SHA130f03b81aa46284e26ffb7de1f17ab4203c7fff6
SHA256e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94
SHA51239c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5a0a22ba1e62b67b91905665b86df33b3
SHA130f03b81aa46284e26ffb7de1f17ab4203c7fff6
SHA256e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94
SHA51239c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb
-
memory/3096-828-0x00000000000C0000-0x00000000000CC000-memory.dmpFilesize
48KB
-
memory/3096-831-0x000000001C9C0000-0x000000001C9D0000-memory.dmpFilesize
64KB
-
memory/3096-832-0x000000001C9C0000-0x000000001C9D0000-memory.dmpFilesize
64KB