Analysis Overview
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Threat Level: Known bad
The file SENSIXDPANNEL.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Unsigned PE
Enumerates physical storage devices
Program crash
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-23 01:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-23 01:31
Reported
2023-12-23 01:40
Platform
win7-20231215-en
Max time kernel
4s
Max time network
26s
Command Line
Signatures
Mars Stealer
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 828
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/2184-0-0x0000000000050000-0x00000000000C2000-memory.dmp
memory/2184-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2184-2-0x0000000001EB0000-0x0000000001EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 1495c5521e75f7235bf1715e32e7fb19 |
| SHA1 | fdfc9293a952b7c6797e4433bcb52e26bbe3bbc4 |
| SHA256 | ebcd40526d25ea6600182a546fe139a46bc7ed44b58ac05ffd4902386907eee6 |
| SHA512 | 8303dfb4019a730c6b16e5025aaf944c0fd5877b84f9356195d0855ea0a63ee5d176534e7d9372502772d99077d971e5f78487ae9aa7181a38c21374a6fce9c6 |
memory/2184-12-0x0000000001EF0000-0x0000000001F2D000-memory.dmp
memory/2416-13-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | dbe8d41f1fe8543a6ffde86a05caf62a |
| SHA1 | 6b18f94713e68fa0eaaa950eee3b50e582119f90 |
| SHA256 | 70638070d2a7c70a4e454524234f27a46f44eb1449edfddd99fad23fd00a5056 |
| SHA512 | 0858c532830d198991d4ce5c02747c35c3d78c31902e355b734fd71c52f732fea1c2eed671a4fd38410d550b6f50ce0d300e36f4a7e52887ad6d5fe05787efd9 |
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 45ba92f9204b213b4cd030f533161239 |
| SHA1 | 4f5358a5a43fb93ce3213310cad8f557997278fa |
| SHA256 | a2124651bc70ffdba771d55a30fb97351d312487e40f9af90cce41e0975241c2 |
| SHA512 | c3bd5a0ccce37e9a9375c6191e07b2f53f2ec66310dd33625731008959266fe3650ce6dcd5c9c287b02b4fbfee7a490424a3cb5666268d8a8ee200c4dbc06a8e |
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 8c8036e9c04c7e42d89c6998d8f61c6a |
| SHA1 | c3250296ef600e94cf6bc78d8e480d2612f04dc4 |
| SHA256 | 8ce843ed80779311e49896473c0080be7362175fd59d451c23567cba4896fa49 |
| SHA512 | ae20fc2adf3255b6f53763c380328d971b458e791cde4d0f24ae4cd3139338c4b5553d5344ede5c542a73d3669e63e527f095e5e381276f562d5d39cc504cc99 |
memory/2184-14-0x00000000747B0000-0x0000000074E9E000-memory.dmp
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 9d6f9e4dc4e290d142af16efaab065e6 |
| SHA1 | c94cad7c2ea1d10a0ec21445181633d598cf15c9 |
| SHA256 | cdff71482c5a1bf8d90f51e0144c59ed8d40ece41f76eefa748f437aac3e0f4b |
| SHA512 | 858fab2b2d6b5c5a4d6380826cf9fdb74e810de4070b663f3197fc66b14cdede6e96dc1ad035069a6d0938fa6d3c4b02ebb143e53aecbac9af93badf6d60dfce |
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 68e10056560c6f8220ce866212e2c690 |
| SHA1 | 43ee64451b88ee8895d6aeeb5e31c0e65ed0c1d8 |
| SHA256 | aab8951659d05520a6c0b3ca1453331b7f2c783ea9ff287be4362a90adf42334 |
| SHA512 | 07d22ac4c18e67d15f33d754dae1f2695b04b6e9430026669918fe2f9ca7bb9b680a7a42d6ca7f5d501097ca25dc474439ed763fd2f2d93489ed73ad90761f63 |
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\PILYWFC.exe
| MD5 | 779bc23c1e13c1b409d464bb986720a0 |
| SHA1 | c8e81a0fdaca96a8566ff9ea2614d42ccc701b07 |
| SHA256 | 4c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95 |
| SHA512 | bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-23 01:31
Reported
2023-12-23 01:41
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
34s
Command Line
Signatures
Mars Stealer
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Adobe\NY.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
C:\Users\Admin\AppData\Roaming\Adobe\NY.exe
"C:\Users\Admin\AppData\Roaming\Adobe\NY.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1368
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
Files
memory/3332-1-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/3332-2-0x0000000005500000-0x0000000005510000-memory.dmp
memory/3332-0-0x0000000000B80000-0x0000000000BF2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\NY.exe
| MD5 | 9fe9ad9271d89f6893111cad105803c9 |
| SHA1 | 4032d9c8d57580c6f78c389b90a78719b3257086 |
| SHA256 | c547dbfb49ff140f95c960d1bb14979f4bddaf83fd2fae8d941aebe377f2ef9e |
| SHA512 | 05aaf652625da4be1914b23f00b94998c1546b45caaa1f71ba3f504e717af34062fd6f3a5487e36511e90a9dc2077babcedf43a05a4b8ad08d12e7483f0120ad |
memory/3332-13-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/1816-12-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\NY.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Adobe\NY.exe
| MD5 | c99b297ae587a31fec6551ee74ac9029 |
| SHA1 | 49544a1e76e7a585c968a9637f18035c1a83c59c |
| SHA256 | 428d0a7f6f03f5fdc2ba4754cede4afad4646b06c4fd6f24dcf9ff38f188c4e8 |
| SHA512 | 5b1dd0c6a65376dd0dbc2a848580c9b4c06ff52a50b9c5109e695766de7b1ff1da74a75f05b24aae4e2947c49493e4dbb92ea36b7286b8c1e954c0bda176d0cd |
memory/1816-15-0x0000000000400000-0x000000000043D000-memory.dmp