Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-12-2023 01:31
Static task
static1
Behavioral task
behavioral1
Sample
SENSIXDPANNEL.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SENSIXDPANNEL.exe
Resource
win10v2004-20231215-en
General
-
Target
SENSIXDPANNEL.exe
-
Size
433KB
-
MD5
40cf5b7e5c505da78a7f66d2950effbf
-
SHA1
abf961c5b9fae57411a195a00b4c7093d2fe0bc4
-
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
-
SHA512
08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
-
SSDEEP
12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
.exepid process 2300 .exe -
Loads dropped DLL 5 IoCs
Processes:
SENSIXDPANNEL.exeWerFault.exepid process 1056 SENSIXDPANNEL.exe 1056 SENSIXDPANNEL.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3016 2300 WerFault.exe .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SENSIXDPANNEL.exe.exedescription pid process target process PID 1056 wrote to memory of 2300 1056 SENSIXDPANNEL.exe .exe PID 1056 wrote to memory of 2300 1056 SENSIXDPANNEL.exe .exe PID 1056 wrote to memory of 2300 1056 SENSIXDPANNEL.exe .exe PID 1056 wrote to memory of 2300 1056 SENSIXDPANNEL.exe .exe PID 2300 wrote to memory of 3016 2300 .exe WerFault.exe PID 2300 wrote to memory of 3016 2300 .exe WerFault.exe PID 2300 wrote to memory of 3016 2300 .exe WerFault.exe PID 2300 wrote to memory of 3016 2300 .exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\Adobe\.exe"C:\Users\Admin\AppData\Roaming\Adobe\.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 8243⤵
- Loads dropped DLL
- Program crash
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
84KB
MD59329efc2923f65682ad6d57cb0da28cf
SHA14b6b23350ff57a1abe80c16e1c313f08ebce5e77
SHA2564f89a33f894ea92306c278b9eb22c05f885b34bb9c5b1aed4c132ae635cb9361
SHA5126fb59cdb7b601b1eacbe9dc45a3d0604e719e9473bb717262e26eace38600c19b15583b41aa6f5c6d8090c13fef5cd0c554dfef36da25a25bfb12d98933c87a0
-
C:\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
63KB
MD57f75315b1d645e72867f5d83b990eab8
SHA1cc9a0e6b249ad584aa43a17dbf88fe1f62a2eb1e
SHA25631ef1e24f6b1f486263c27fb706417511ee336a73e7d1204f4aeaa7798da1fd4
SHA5120d7639b4ca55c5c602451a6c53967416efcf3d777b930e7da7da810a093619e3490800cebc80d604d53d0d3bd05994d1c7c064e372be2798c88e252466dfc353
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
132KB
MD59c7e90f4ef398c80944b3c61a10ab4cc
SHA150214ec16ded8d4c2bf325b10ca3527998f0a125
SHA25689be043eb7050ad61cb923a4892dc3f6310ff0f7f9c64e73e6f8155e248291b9
SHA51218428a6c3f8f04989280265dc9521513be4131e641653150e71ffc39e7f69d718779230a6c7e90cf2932e61903a5575812f27cef88d11ecaeb671c8b1c409a27
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
75KB
MD585ad9cda197b8b2f8d60c0b478e4804c
SHA18b8770e95370753c3ea8a8a7447e2c6d7195410f
SHA25645fd44f40aae10a76fef2de0c3b1638928b3e519f5b94b26de425864773efde8
SHA51237e1f28e30d4088c04337f7b1832c56d563f7e8af4aa1868e1b888db58a215e5ae88ac8f45d7f6e5da609af9a8459da7daad4e0bf8562205f38330da72ccb040
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
116KB
MD5c9619677aa632f49be7e512f6d0e9b69
SHA1ede7cb1e75980a85d9d01a97801dcedf4c900e4c
SHA25654beb3a3e6d4f8b1a9405e3cc3bcfd4867a694a8eb909169ceeb63833370e2fc
SHA5120656eed948b2c1e02b3c96d6c32f298fcfc8f50b5951cb578ef792502da55e1ade245f41c844973dce1c2c1cdc29269911e85bcfec872cc8af68cbdf5a029523
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
48KB
MD5b01fae57e9956ad948f6b30f3bacb4c6
SHA1e08541551fc1f776603e7e188a490e5509a233dd
SHA256ddf3cc060ba90aadf78ca3a708788e0cd594716a48a1ca4f093d5de75218ab0e
SHA512c5a42fb0ebd29c9ace1f78d894fce514e22da89a20bc4edf52727e9eccdb63f7ea22a70ce6b0041f9a89206de767622de2a01a3b468db2a565f6273733542600
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
83KB
MD53c57e9525cea310d86bbad48e3277457
SHA1c48bc75a699d0d9bd9665cb6aad5f5678224e576
SHA256de684730d374ea8eadebeb2dacf0b9eb7e08faf00bf6a2fc6ba00d4f79226faf
SHA51221140c9278f6038748197a8c067b50ca0ff864c193205f1c4164bc4539f5608679f7e48604d8f7c0bf0e6a0b5b57f6f9bf23ebbdbab3970aaa210f4bc0a80f90
-
memory/1056-14-0x00000000005A0000-0x00000000005DD000-memory.dmpFilesize
244KB
-
memory/1056-12-0x00000000005A0000-0x00000000005DD000-memory.dmpFilesize
244KB
-
memory/1056-13-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB
-
memory/1056-0-0x0000000000170000-0x00000000001E2000-memory.dmpFilesize
456KB
-
memory/1056-2-0x0000000004B90000-0x0000000004BD0000-memory.dmpFilesize
256KB
-
memory/1056-1-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB
-
memory/2300-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB