Analysis
-
max time kernel
4s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-12-2023 01:31
Static task
static1
Behavioral task
behavioral1
Sample
SENSIXDPANNEL.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SENSIXDPANNEL.exe
Resource
win10v2004-20231215-en
General
-
Target
SENSIXDPANNEL.exe
-
Size
433KB
-
MD5
40cf5b7e5c505da78a7f66d2950effbf
-
SHA1
abf961c5b9fae57411a195a00b4c7093d2fe0bc4
-
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
-
SHA512
08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
-
SSDEEP
12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2752 2416 WerFault.exe PILYWFC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe"2⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 8283⤵
- Program crash
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
65KB
MD5dbe8d41f1fe8543a6ffde86a05caf62a
SHA16b18f94713e68fa0eaaa950eee3b50e582119f90
SHA25670638070d2a7c70a4e454524234f27a46f44eb1449edfddd99fad23fd00a5056
SHA5120858c532830d198991d4ce5c02747c35c3d78c31902e355b734fd71c52f732fea1c2eed671a4fd38410d550b6f50ce0d300e36f4a7e52887ad6d5fe05787efd9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
45KB
MD51495c5521e75f7235bf1715e32e7fb19
SHA1fdfc9293a952b7c6797e4433bcb52e26bbe3bbc4
SHA256ebcd40526d25ea6600182a546fe139a46bc7ed44b58ac05ffd4902386907eee6
SHA5128303dfb4019a730c6b16e5025aaf944c0fd5877b84f9356195d0855ea0a63ee5d176534e7d9372502772d99077d971e5f78487ae9aa7181a38c21374a6fce9c6
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
45KB
MD568e10056560c6f8220ce866212e2c690
SHA143ee64451b88ee8895d6aeeb5e31c0e65ed0c1d8
SHA256aab8951659d05520a6c0b3ca1453331b7f2c783ea9ff287be4362a90adf42334
SHA51207d22ac4c18e67d15f33d754dae1f2695b04b6e9430026669918fe2f9ca7bb9b680a7a42d6ca7f5d501097ca25dc474439ed763fd2f2d93489ed73ad90761f63
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
76KB
MD59d6f9e4dc4e290d142af16efaab065e6
SHA1c94cad7c2ea1d10a0ec21445181633d598cf15c9
SHA256cdff71482c5a1bf8d90f51e0144c59ed8d40ece41f76eefa748f437aac3e0f4b
SHA512858fab2b2d6b5c5a4d6380826cf9fdb74e810de4070b663f3197fc66b14cdede6e96dc1ad035069a6d0938fa6d3c4b02ebb143e53aecbac9af93badf6d60dfce
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
100KB
MD5779bc23c1e13c1b409d464bb986720a0
SHA1c8e81a0fdaca96a8566ff9ea2614d42ccc701b07
SHA2564c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95
SHA512bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
1KB
MD58c8036e9c04c7e42d89c6998d8f61c6a
SHA1c3250296ef600e94cf6bc78d8e480d2612f04dc4
SHA2568ce843ed80779311e49896473c0080be7362175fd59d451c23567cba4896fa49
SHA512ae20fc2adf3255b6f53763c380328d971b458e791cde4d0f24ae4cd3139338c4b5553d5344ede5c542a73d3669e63e527f095e5e381276f562d5d39cc504cc99
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exeFilesize
7KB
MD545ba92f9204b213b4cd030f533161239
SHA14f5358a5a43fb93ce3213310cad8f557997278fa
SHA256a2124651bc70ffdba771d55a30fb97351d312487e40f9af90cce41e0975241c2
SHA512c3bd5a0ccce37e9a9375c6191e07b2f53f2ec66310dd33625731008959266fe3650ce6dcd5c9c287b02b4fbfee7a490424a3cb5666268d8a8ee200c4dbc06a8e
-
memory/2184-2-0x0000000001EB0000-0x0000000001EF0000-memory.dmpFilesize
256KB
-
memory/2184-0-0x0000000000050000-0x00000000000C2000-memory.dmpFilesize
456KB
-
memory/2184-12-0x0000000001EF0000-0x0000000001F2D000-memory.dmpFilesize
244KB
-
memory/2184-1-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB
-
memory/2184-14-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB
-
memory/2416-13-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB