Analysis Overview
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Threat Level: Known bad
The file SENSIXDPANNEL.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-23 01:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-23 01:31
Reported
2023-12-23 01:33
Platform
win7-20231215-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Mars Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Adobe\.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
C:\Users\Admin\AppData\Roaming\Adobe\.exe
"C:\Users\Admin\AppData\Roaming\Adobe\.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 824
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/1056-0-0x0000000000170000-0x00000000001E2000-memory.dmp
memory/1056-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp
memory/1056-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | b01fae57e9956ad948f6b30f3bacb4c6 |
| SHA1 | e08541551fc1f776603e7e188a490e5509a233dd |
| SHA256 | ddf3cc060ba90aadf78ca3a708788e0cd594716a48a1ca4f093d5de75218ab0e |
| SHA512 | c5a42fb0ebd29c9ace1f78d894fce514e22da89a20bc4edf52727e9eccdb63f7ea22a70ce6b0041f9a89206de767622de2a01a3b468db2a565f6273733542600 |
memory/1056-13-0x0000000074BF0000-0x00000000752DE000-memory.dmp
memory/2300-15-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1056-14-0x00000000005A0000-0x00000000005DD000-memory.dmp
memory/1056-12-0x00000000005A0000-0x00000000005DD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 7f75315b1d645e72867f5d83b990eab8 |
| SHA1 | cc9a0e6b249ad584aa43a17dbf88fe1f62a2eb1e |
| SHA256 | 31ef1e24f6b1f486263c27fb706417511ee336a73e7d1204f4aeaa7798da1fd4 |
| SHA512 | 0d7639b4ca55c5c602451a6c53967416efcf3d777b930e7da7da810a093619e3490800cebc80d604d53d0d3bd05994d1c7c064e372be2798c88e252466dfc353 |
C:\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 9329efc2923f65682ad6d57cb0da28cf |
| SHA1 | 4b6b23350ff57a1abe80c16e1c313f08ebce5e77 |
| SHA256 | 4f89a33f894ea92306c278b9eb22c05f885b34bb9c5b1aed4c132ae635cb9361 |
| SHA512 | 6fb59cdb7b601b1eacbe9dc45a3d0604e719e9473bb717262e26eace38600c19b15583b41aa6f5c6d8090c13fef5cd0c554dfef36da25a25bfb12d98933c87a0 |
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 3c57e9525cea310d86bbad48e3277457 |
| SHA1 | c48bc75a699d0d9bd9665cb6aad5f5678224e576 |
| SHA256 | de684730d374ea8eadebeb2dacf0b9eb7e08faf00bf6a2fc6ba00d4f79226faf |
| SHA512 | 21140c9278f6038748197a8c067b50ca0ff864c193205f1c4164bc4539f5608679f7e48604d8f7c0bf0e6a0b5b57f6f9bf23ebbdbab3970aaa210f4bc0a80f90 |
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 85ad9cda197b8b2f8d60c0b478e4804c |
| SHA1 | 8b8770e95370753c3ea8a8a7447e2c6d7195410f |
| SHA256 | 45fd44f40aae10a76fef2de0c3b1638928b3e519f5b94b26de425864773efde8 |
| SHA512 | 37e1f28e30d4088c04337f7b1832c56d563f7e8af4aa1868e1b888db58a215e5ae88ac8f45d7f6e5da609af9a8459da7daad4e0bf8562205f38330da72ccb040 |
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | c9619677aa632f49be7e512f6d0e9b69 |
| SHA1 | ede7cb1e75980a85d9d01a97801dcedf4c900e4c |
| SHA256 | 54beb3a3e6d4f8b1a9405e3cc3bcfd4867a694a8eb909169ceeb63833370e2fc |
| SHA512 | 0656eed948b2c1e02b3c96d6c32f298fcfc8f50b5951cb578ef792502da55e1ade245f41c844973dce1c2c1cdc29269911e85bcfec872cc8af68cbdf5a029523 |
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 9c7e90f4ef398c80944b3c61a10ab4cc |
| SHA1 | 50214ec16ded8d4c2bf325b10ca3527998f0a125 |
| SHA256 | 89be043eb7050ad61cb923a4892dc3f6310ff0f7f9c64e73e6f8155e248291b9 |
| SHA512 | 18428a6c3f8f04989280265dc9521513be4131e641653150e71ffc39e7f69d718779230a6c7e90cf2932e61903a5575812f27cef88d11ecaeb671c8b1c409a27 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-23 01:31
Reported
2023-12-23 01:33
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
memory/2404-0-0x0000000000AB0000-0x0000000000B22000-memory.dmp
memory/2404-1-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2404-2-0x0000000005540000-0x0000000005550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Low\FJS03J.exe
| MD5 | 8bbc9791cb2a5b186ad6839577813f66 |
| SHA1 | cbed80e6842ec8eb6a901a41b628f436a24231bf |
| SHA256 | a4cce6ce384422d18d48738a8b2b84c93424214484e1b01a454834f52be905ee |
| SHA512 | 7ec4df4dcae21c57e4a990d238de43676732f12164b6f4db6680c2425c1b49a2cc509153abd9f332c00e1a0eb57bcbe33b75137e06d779845a4256e9ef541453 |
memory/2404-8-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2404-9-0x0000000005540000-0x0000000005550000-memory.dmp