Analysis Overview
SHA256
def6c030f46e8d7a9988942b704e41882da8584ef6456ec8358a9e8334f0a7f9
Threat Level: Known bad
The file 1704-14-0x0000000000400000-0x000000000043D000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Marsstealer family
Arkei
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-11-18 19:30
Signatures
Marsstealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-18 19:30
Reported
2023-11-18 19:32
Platform
win7-20231023-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Arkei
Processes
C:\Users\Admin\AppData\Local\Temp\1704-14-0x0000000000400000-0x000000000043D000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1704-14-0x0000000000400000-0x000000000043D000-memory.exe"
Network
Files
memory/2604-0-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-18 19:30
Reported
2023-11-18 19:32
Platform
win10v2004-20231020-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Arkei
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1704-14-0x0000000000400000-0x000000000043D000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1704-14-0x0000000000400000-0x000000000043D000-memory.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/4968-0-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1068-1-0x000001F8A4380000-0x000001F8A4390000-memory.dmp
memory/1068-17-0x000001F8A4480000-0x000001F8A4490000-memory.dmp
memory/1068-33-0x000001F8ACA70000-0x000001F8ACA71000-memory.dmp
memory/1068-34-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-35-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-36-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-37-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-38-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-39-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-40-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-41-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-42-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-43-0x000001F8ACA90000-0x000001F8ACA91000-memory.dmp
memory/1068-44-0x000001F8AC6C0000-0x000001F8AC6C1000-memory.dmp
memory/1068-45-0x000001F8AC6B0000-0x000001F8AC6B1000-memory.dmp
memory/1068-47-0x000001F8AC6C0000-0x000001F8AC6C1000-memory.dmp
memory/1068-50-0x000001F8AC6B0000-0x000001F8AC6B1000-memory.dmp
memory/1068-53-0x000001F8AC5F0000-0x000001F8AC5F1000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | 33b2ba134395de308b182166b9f64b77 |
| SHA1 | 936beaf6ebca4389bbbee2aa061703cc0c086b03 |
| SHA256 | f8693905daa402c88f88ec9c8c241aff783735166c511199fd91f3bda124cc80 |
| SHA512 | c4f880b2616ff2541b53f021d180a7d0bd517deec196035850fba9275498f28db9f53dff920c5ec4a4ce6dcfb9d13a6e8a44d2ff497de0a30612f303be81fa5a |
memory/1068-65-0x000001F8AC7F0000-0x000001F8AC7F1000-memory.dmp
memory/1068-67-0x000001F8AC800000-0x000001F8AC801000-memory.dmp
memory/1068-68-0x000001F8AC800000-0x000001F8AC801000-memory.dmp
memory/1068-69-0x000001F8AC910000-0x000001F8AC911000-memory.dmp