Analysis
-
max time kernel
123s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 03:10
Static task
static1
Behavioral task
behavioral1
Sample
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe
Resource
win10v2004-20231215-en
General
-
Target
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe
-
Size
5.7MB
-
MD5
bd424a7fd1d0dbb18047473d25acf79d
-
SHA1
c663dcda2f85b9e43cb2160e8e6387657091e666
-
SHA256
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c
-
SHA512
f7bd8928aa9b088a088897c14e6cbf87f6b36d024217fca360487ca8a3e8fe0c37080c3efe31f9502ba76aeffefdb5af66d51ca3ab4b986387bbccda53ee354f
-
SSDEEP
12288:OmOcdB+QGf79+kXqfDRjagi+Ug/NqTRxGrXnlJHmjEMnsL4pYZynND:nBcgAnRinrmb
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
EB.exepid process 2864 EB.exe -
Loads dropped DLL 5 IoCs
Processes:
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exeWerFault.exepid process 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1924 2864 WerFault.exe EB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exeEB.exedescription pid process target process PID 2672 wrote to memory of 2864 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe EB.exe PID 2672 wrote to memory of 2864 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe EB.exe PID 2672 wrote to memory of 2864 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe EB.exe PID 2672 wrote to memory of 2864 2672 76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe EB.exe PID 2864 wrote to memory of 1924 2864 EB.exe WerFault.exe PID 2864 wrote to memory of 1924 2864 EB.exe WerFault.exe PID 2864 wrote to memory of 1924 2864 EB.exe WerFault.exe PID 2864 wrote to memory of 1924 2864 EB.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe"C:\Users\Admin\AppData\Local\Temp\76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\Identities\EB.exe"C:\Users\Admin\AppData\Roaming\Identities\EB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 8123⤵
- Loads dropped DLL
- Program crash
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Identities\EB.exeFilesize
159KB
MD5b1d6d66282771bdaee20f0295991140a
SHA1f65c534725a4aa947285ecbb2acf3f5083803152
SHA2569697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053
SHA512af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900
-
memory/2672-0-0x0000000000160000-0x00000000001D2000-memory.dmpFilesize
456KB
-
memory/2672-1-0x0000000074B50000-0x000000007523E000-memory.dmpFilesize
6.9MB
-
memory/2672-6-0x00000000048C0000-0x00000000048FD000-memory.dmpFilesize
244KB
-
memory/2672-11-0x00000000048C0000-0x00000000048FD000-memory.dmpFilesize
244KB
-
memory/2672-14-0x0000000074B50000-0x000000007523E000-memory.dmpFilesize
6.9MB
-
memory/2864-13-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB