Analysis Overview
SHA256
09854915bafa02b6de0ee7b94d2487e7c8867563c1194ee8cb73d7e0cbc60d97
Threat Level: Known bad
The file ShE8qQv970pdsiQkvoCPdggJI3RnzXRX was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-21 02:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 02:19
Reported
2023-12-21 02:20
Platform
win7-20231129-en
Max time kernel
50s
Max time network
20s
Command Line
Signatures
Mars Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe
"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"
C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe
"C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moscow-post.ru | udp |
| RU | 185.71.67.60:80 | moscow-post.ru | tcp |
| US | 8.8.8.8:53 | www.moscow-post.ru | udp |
| RU | 185.71.67.60:80 | www.moscow-post.ru | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/2932-0-0x0000000000950000-0x00000000009C2000-memory.dmp
memory/2932-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp
memory/2932-2-0x00000000006C0000-0x0000000000700000-memory.dmp
memory/2932-12-0x0000000000750000-0x000000000078D000-memory.dmp
memory/2620-15-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2932-14-0x0000000074AF0000-0x00000000751DE000-memory.dmp
memory/2932-13-0x0000000000750000-0x000000000078D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe
| MD5 | 2f99ffd868c5ff919d23897058537c8e |
| SHA1 | 7f8f0cba294440026627ad86b5812b5bd5e535e6 |
| SHA256 | 9660b3d526da3fe03549ef62b2dfddb3cb6f38e28f084df9e729a3b50e3e076f |
| SHA512 | 2425ade2f9670e1b8303061b0dae6b83d5f8fd686e8ea568d68de20f900e918d0d17b74b5f8e89cf0abf079374bb43c3b9f0ab7d30933abc20dc67f7b9afc443 |
C:\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe
| MD5 | 6bdc999a6baedf655e2445d777cf4eef |
| SHA1 | 09f9372be9f20c9554d352d0571f0c8949b601d5 |
| SHA256 | 51631895140e1927ca33d970f3e49500d4103c048d1a2105f8f0e2a146b927c4 |
| SHA512 | 1f4cd6ed5238ba114c15413251097d952d266f3966bc7ce59aa8c8919f41efb7acc54d291cd5c1336105d1632929ea5c838f981ff13d38606ab03ec4a202d233 |
\Users\Admin\AppData\Local\Temp\Low\GKJAF.exe
| MD5 | c68be1642adc5cb69f48b5a7605984ff |
| SHA1 | 091f7a33e6e0ddca20b5384d82edcf17feed921b |
| SHA256 | 26a05a291545b60e2218a663e3c9d629cdd0e076ec8d7adb2ca03cab80d2f3df |
| SHA512 | 0198b77c624df5639e058e46e92085410bb0f3aca2b45e9ffa9dc26588134755b5e13e213057dd6918f8f2573c214023bd04dc07b68ca329b7e5a440b2f5013f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-21 02:19
Reported
2023-12-21 02:22
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
121s
Command Line
Signatures
Mars Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1664 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe |
| PID 1664 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe |
| PID 1664 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe
"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moscow-post.ru | udp |
| RU | 185.71.67.60:80 | moscow-post.ru | tcp |
| US | 8.8.8.8:53 | www.moscow-post.ru | udp |
| RU | 185.71.67.60:80 | www.moscow-post.ru | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
| US | 8.8.8.8:53 | 60.67.71.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/1664-1-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/1664-0-0x0000000000DD0000-0x0000000000E42000-memory.dmp
memory/1664-2-0x0000000005730000-0x0000000005740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
| MD5 | 5573cff5bae94857755ff999d5a1fc4d |
| SHA1 | 6dbc943031be6f417740923b9eff0d3c849b9c33 |
| SHA256 | dca3d3887c3db7ff5c182a6b50ef126f91c3ca0abdd230a828d7e9cbaf2d418f |
| SHA512 | e0ccaa55a00ab094065184d8fd23a63a2459fdf3c48a67b727afa33e62a2bb144ad3538d42874aa91c46cd72c6af5a472ea897b105412bc9c343d75cb3cb9e9c |
memory/1664-13-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/3616-12-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
| MD5 | 061647d33aba9b76568b724b75e51fa6 |
| SHA1 | 42fb62744aa41e2e3c78f6ad9ee690b71c9a019b |
| SHA256 | 6891320b9cf5dbf1278eb5c262a19a977d199666560dab26f920967e3f387474 |
| SHA512 | a606acce217895032688cc2cd88b6cbad5b80fca300b6d29c4f827b49de8732feeeba67678867f3837ca4002870fb20f849619418f2943668b3231e7f1af1628 |
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A6XFCDNE2.exe
| MD5 | ef1851b2ae7fc3b4ab80a821315e4dee |
| SHA1 | a8ff1018247ba559321c66911b58570cfce96d0d |
| SHA256 | 7b2e308b97113a2d055a9fceade992868348ccfb8c5f7e60ec8a5c1f62d02431 |
| SHA512 | ee604386b52e7b9c1ebbf4a35be0d17b7d7d850e5dbc4a15d146ef3b344cb1240a3f6b154e0f8df93df3052d04c0a2f724e20a2e23174a14a24db7a7dc0bb0aa |
memory/3616-15-0x0000000000400000-0x000000000043D000-memory.dmp