Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 13:27
Static task
static1
Behavioral task
behavioral1
Sample
InstallShieldSetup.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
InstallShieldSetup.exe
Resource
win10v2004-20231215-en
General
-
Target
InstallShieldSetup.exe
-
Size
465KB
-
MD5
1578590b1e0234b07316d604370a087b
-
SHA1
ef865b18e16d6a74e38d3aba0d09600d0d450e3e
-
SHA256
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503
-
SHA512
4ab2b5847ca31f07dbdb9d7043d462f8556562f30b23827f8b75bc15b4c57e295d56cc93a71a9ab45468ffd985452c79cd89975d3acd13f1146097687f33b974
-
SSDEEP
12288:YOZQdNMfxzE94hzovW/0NiqjAQeaDVI9VyvSBwoYE6xPqd2cftuw2:YYZqrNiTqaBb
Malware Config
Extracted
marsstealer
Default
www.moscow-post.su/su/wp-content/lozzz.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
InstallShieldSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation InstallShieldSetup.exe -
Executes dropped EXE 1 IoCs
Processes:
LV.exepid process 2984 LV.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1456 2984 WerFault.exe LV.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
InstallShieldSetup.exedescription pid process target process PID 5004 wrote to memory of 2984 5004 InstallShieldSetup.exe LV.exe PID 5004 wrote to memory of 2984 5004 InstallShieldSetup.exe LV.exe PID 5004 wrote to memory of 2984 5004 InstallShieldSetup.exe LV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe"C:\Users\Admin\AppData\Local\Temp\InstallShieldSetup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Roaming\Adobe\LV.exe"C:\Users\Admin\AppData\Roaming\Adobe\LV.exe"2⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 13803⤵
- Program crash
PID:1456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2984 -ip 29841⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\LV.exeFilesize
11KB
MD503580ac9e6ee901bcb8ad382e7085f2b
SHA1368aa6c4e23910c40bee7c190876edd1138c8e23
SHA256fe7959e272893fb0873005570c81c3cf1ec957b54575a28a2a3270c88aea2431
SHA512f684fe2db9a89ee1b6d3d9afc580b127ed33bbeba533b1561a19606dc58513e1efee429a9641398c4adf2ce97d63886c65355204bea7dd96feb660268ac9b5da
-
C:\Users\Admin\AppData\Roaming\Adobe\LV.exeFilesize
159KB
MD5b1d6d66282771bdaee20f0295991140a
SHA1f65c534725a4aa947285ecbb2acf3f5083803152
SHA2569697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053
SHA512af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900
-
memory/2984-11-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2984-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/5004-1-0x0000000074D20000-0x00000000754D0000-memory.dmpFilesize
7.7MB
-
memory/5004-0-0x0000000000620000-0x0000000000698000-memory.dmpFilesize
480KB
-
memory/5004-12-0x0000000074D20000-0x00000000754D0000-memory.dmpFilesize
7.7MB