Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 01:09
Static task
static1
Behavioral task
behavioral1
Sample
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe
Resource
win10v2004-20231215-en
General
-
Target
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe
-
Size
465KB
-
MD5
1578590b1e0234b07316d604370a087b
-
SHA1
ef865b18e16d6a74e38d3aba0d09600d0d450e3e
-
SHA256
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503
-
SHA512
4ab2b5847ca31f07dbdb9d7043d462f8556562f30b23827f8b75bc15b4c57e295d56cc93a71a9ab45468ffd985452c79cd89975d3acd13f1146097687f33b974
-
SSDEEP
12288:YOZQdNMfxzE94hzovW/0NiqjAQeaDVI9VyvSBwoYE6xPqd2cftuw2:YYZqrNiTqaBb
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
.exepid process 3068 .exe -
Loads dropped DLL 5 IoCs
Processes:
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exeWerFault.exepid process 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2888 3068 WerFault.exe .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe.exedescription pid process target process PID 2256 wrote to memory of 3068 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe .exe PID 2256 wrote to memory of 3068 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe .exe PID 2256 wrote to memory of 3068 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe .exe PID 2256 wrote to memory of 3068 2256 c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe .exe PID 3068 wrote to memory of 2888 3068 .exe WerFault.exe PID 3068 wrote to memory of 2888 3068 .exe WerFault.exe PID 3068 wrote to memory of 2888 3068 .exe WerFault.exe PID 3068 wrote to memory of 2888 3068 .exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe"C:\Users\Admin\AppData\Local\Temp\c498dec6b5bae2d62448ffb450fa594f0c0e55c7424923d602386dbdb6c61503.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\Adobe\.exe"C:\Users\Admin\AppData\Roaming\Adobe\.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 8003⤵
- Loads dropped DLL
- Program crash
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
159KB
MD5b1d6d66282771bdaee20f0295991140a
SHA1f65c534725a4aa947285ecbb2acf3f5083803152
SHA2569697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053
SHA512af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900
-
memory/2256-0-0x0000000000900000-0x0000000000978000-memory.dmpFilesize
480KB
-
memory/2256-1-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2256-11-0x0000000004170000-0x00000000041AD000-memory.dmpFilesize
244KB
-
memory/2256-13-0x0000000004170000-0x00000000041AD000-memory.dmpFilesize
244KB
-
memory/2256-12-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/3068-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB