Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 13:27
Static task
static1
Behavioral task
behavioral1
Sample
InstallShieldSetup.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
InstallShieldSetup.exe
Resource
win10v2004-20231215-en
General
-
Target
InstallShieldSetup.exe
-
Size
465KB
-
MD5
1578590b1e0234b07316d604370a087b
-
SHA1
ef865b18e16d6a74e38d3aba0d09600d0d450e3e
-
SHA256
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503
-
SHA512
4ab2b5847ca31f07dbdb9d7043d462f8556562f30b23827f8b75bc15b4c57e295d56cc93a71a9ab45468ffd985452c79cd89975d3acd13f1146097687f33b974
-
SSDEEP
12288:YOZQdNMfxzE94hzovW/0NiqjAQeaDVI9VyvSBwoYE6xPqd2cftuw2:YYZqrNiTqaBb
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
6AN3PYFOS7.exepid process 2884 6AN3PYFOS7.exe -
Loads dropped DLL 8 IoCs
Processes:
InstallShieldSetup.exe6AN3PYFOS7.exeWerFault.exepid process 2520 InstallShieldSetup.exe 2520 InstallShieldSetup.exe 2884 6AN3PYFOS7.exe 2884 6AN3PYFOS7.exe 2884 6AN3PYFOS7.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2640 2884 WerFault.exe 6AN3PYFOS7.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
InstallShieldSetup.exe6AN3PYFOS7.exedescription pid process target process PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2520 wrote to memory of 2884 2520 InstallShieldSetup.exe 6AN3PYFOS7.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe PID 2884 wrote to memory of 2640 2884 6AN3PYFOS7.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe"C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8723⤵
- Loads dropped DLL
- Program crash
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exeFilesize
132KB
MD53a6f69ecc4b0744752283451b49147a9
SHA1ffa66b1daa062220ebf68639a374f24f924a60d2
SHA25622949ed85e66d19c8691e20ae79130490e1bc1ce97f98f7ef89216783b66575a
SHA512c99a450a0aa8ca580664e1bfb59a0ddbd6fc3b0e14485604b94b9ce65470a38176b0889026965fb9c471d6b28913436ded62dd5ee17977863b83eadab7fad81d
-
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exeFilesize
98KB
MD576114abaeb8a77411d560762e93a6156
SHA153314096bb9a6a52271a3704d1d0efd167b9c5ec
SHA2565f87c144c6c074fc4846dd305c89a3e777f5f7174616f96363b91ca37e9b92b4
SHA512af3f712624dcfba098d47f3c3a2ed49d82d0beb70b6edb68e17c0466e104a1c0e2d4ac2b8f7ad800ee36d8d209e0107b3f350fabf63b03045cf6ead5191ceb40
-
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exeFilesize
83KB
MD515ec45c17d8afc555714938aabb365a5
SHA1b2d500c2baf6e2dd6c50ffb66ff349ed9b815336
SHA256a1b5b3284d406409ac59329ca76ac5a25dd07e250c39308c59dbcf71bd791016
SHA512c9c36b79e8dce06500aa4ea41491242a136061274ebe9dd6cac0eb5925b7310c67cce5195169a9832df91feb31d7683d10e15b70cb0f920323640640a8632eec
-
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exeFilesize
59KB
MD5e3ca4b5c5e173076ce7d6b621f410959
SHA1cdf9c72371623e59c542580a36b0b5e6d60f2613
SHA256ab1edfbdba76bfe249a6fca3ae79eb8779946414c2dfd52afa9b8f1d27b728de
SHA5122852eec3cf050a370af047882eab6049e861575459da9dc2dfdd4feb50a12c09ebc3bc33eed3a306c9c04a9494f2b653c1b4326db009811ab0581e0bc60744f9
-
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\6AN3PYFOS7.exeFilesize
159KB
MD5b1d6d66282771bdaee20f0295991140a
SHA1f65c534725a4aa947285ecbb2acf3f5083803152
SHA2569697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053
SHA512af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900
-
memory/2520-0-0x0000000000800000-0x0000000000878000-memory.dmpFilesize
480KB
-
memory/2520-15-0x00000000028C0000-0x00000000028FD000-memory.dmpFilesize
244KB
-
memory/2520-10-0x00000000028C0000-0x00000000028FD000-memory.dmpFilesize
244KB
-
memory/2884-16-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2884-17-0x0000000000230000-0x000000000026D000-memory.dmpFilesize
244KB