Analysis Overview
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
Threat Level: Known bad
The file SENSIXDPANNEL.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-23 01:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-23 01:33
Reported
2023-12-23 01:36
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
52s
Command Line
Signatures
Mars Stealer
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Adobe\L.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
C:\Users\Admin\AppData\Roaming\Adobe\L.exe
"C:\Users\Admin\AppData\Roaming\Adobe\L.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1368
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| US | 8.8.8.8:53 | 60.67.71.185.in-addr.arpa | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
memory/2116-1-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/2116-2-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/2116-0-0x0000000000170000-0x00000000001E2000-memory.dmp
memory/4844-12-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2116-13-0x0000000074930000-0x00000000750E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\L.exe
| MD5 | 3b3d7a4500761ca84d9d060c3b77437d |
| SHA1 | 74d7fba2cfdbe34191c2fe1aa36b7ed3995279cc |
| SHA256 | bd4650300f929ea8c6442c3574a6629bc86a3edb1a39778559328894bca2be34 |
| SHA512 | 16f8a79214c167aa063e081083843d5af0c71281fd1b047e87e061d1b864f919c0b51c65b165f6f293eb0839023f7befee3413143c84d82f433efe145350dfae |
C:\Users\Admin\AppData\Roaming\Adobe\L.exe
| MD5 | c5d74382ca1e73f71acb2a84b5c8e57d |
| SHA1 | 21d83e38b948c9e172fb2c46df2837f1885053b9 |
| SHA256 | 7dbe7ad3e376025592e7e3c1bfe032c0c2e8ef9cc5012e3dc571ad3fd525e06c |
| SHA512 | 5d6497d93d719d753f17cb7e0b26216dcea90270d01b314324374a5302d06c483f04541316cec0d9305b03a5fd3e0048ea7d4dcb3478dfec51baf1cf3273a437 |
C:\Users\Admin\AppData\Roaming\Adobe\L.exe
| MD5 | 779bc23c1e13c1b409d464bb986720a0 |
| SHA1 | c8e81a0fdaca96a8566ff9ea2614d42ccc701b07 |
| SHA256 | 4c0e6994cedf121de14548a4bebb88434d1409dfff4264dbfc0712653f742a95 |
| SHA512 | bb5e5c3c46d72156b8f57acfbcfa76da0bac70a9f135811698c2694358a30a5a90d11226fec96c0d869523346c1a9167054b3b94d39b08bda6e0045abb0bfbff |
memory/4844-15-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-23 01:33
Reported
2023-12-23 01:36
Platform
win7-20231129-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe
"C:\Users\Admin\AppData\Local\Temp\SENSIXDPANNEL.exe"
C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe
"C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/2380-0-0x00000000003A0000-0x0000000000412000-memory.dmp
memory/2380-1-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2380-2-0x00000000002E0000-0x0000000000320000-memory.dmp
C:\Users\Admin\AppData\Roaming\Identities\Q6O.exe
| MD5 | 53eb0bcc17ccf65660a7266e3287ebd6 |
| SHA1 | c4f2201da904be4882a104d6a291f70aebefb0a6 |
| SHA256 | 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1 |
| SHA512 | 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa |
memory/2380-14-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2380-13-0x0000000000830000-0x000000000086D000-memory.dmp
memory/2380-11-0x0000000000830000-0x000000000086D000-memory.dmp
\Users\Admin\AppData\Roaming\Identities\Q6O.exe
| MD5 | 8046876e5ddd312a8db0ee0c2f32a7c2 |
| SHA1 | 23cd68da79a408a8e5ea7563aa2b6a1ce3292adc |
| SHA256 | 6a888025e13e27cad83d36fbefa150c60d1b72ac446679ab0d60c10a5f2fb56a |
| SHA512 | 6180cd34a5f85d5ed7feb283eab1e24058ca6626eb28331b480d74b6c3a7d59c361a2dd8a87a955bbecf4cba03c7ebc6739b80c9e3d2aaede76df270870e57df |
\Users\Admin\AppData\Roaming\Identities\Q6O.exe
| MD5 | 7275bc46df8eb2f63511eb21818eb1a2 |
| SHA1 | 8df17cbe3bce27d2f03f881f05c4647ef429d4db |
| SHA256 | 34f96b9591b0f1eace40b64eeebd3cfdb78e28b40fbfb8ad43bcab2be8a89c6e |
| SHA512 | 3431049c82907427635e2b8ec7fdffc0430b495cfe1896b4e1c74f9720299aca3c4bbdb8dcdaa118c327d1b635029affa5050d7a264fd59ddf89e69b35b3e971 |