Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 18:01
Static task
static1
Behavioral task
behavioral1
Sample
UndertaleTrainer.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
UndertaleTrainer.exe
Resource
win10v2004-20231215-en
General
-
Target
UndertaleTrainer.exe
-
Size
3.8MB
-
MD5
8669e8f71fd06872bbc1d2399c33d7b1
-
SHA1
6cdcbc65e5b4d30c3e2e9e3e2c7ad4ed8373bcc5
-
SHA256
b7d757263aac8d89154f7962550b795cca99e2df080d8bfdfbc3582b1a0d8d43
-
SHA512
b353fb22d846994f6c09258cccf63f92ae9db14e4dc5965bc67c7c539bdc8f51e599c7bb70a6668d8d6aeacb1551e333ae70630e1ac58f21c49032052dffa847
-
SSDEEP
12288:zNS9x1JXkDAoqsTAoFhb6lRZu4W1K8waHyu2Um4ytvqMNVw2LW86B7SiU:zeAzW4f
Malware Config
Extracted
marsstealer
Default
www.msk-post.com/server/init.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
UndertaleTrainer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation UndertaleTrainer.exe -
Executes dropped EXE 1 IoCs
Processes:
A6XF.exepid process 4968 A6XF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2440 4968 WerFault.exe A6XF.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
UndertaleTrainer.exedescription pid process target process PID 696 wrote to memory of 4968 696 UndertaleTrainer.exe A6XF.exe PID 696 wrote to memory of 4968 696 UndertaleTrainer.exe A6XF.exe PID 696 wrote to memory of 4968 696 UndertaleTrainer.exe A6XF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe"C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Roaming\Microsoft\A6XF.exe"C:\Users\Admin\AppData\Roaming\Microsoft\A6XF.exe"2⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 16483⤵
- Program crash
PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4968 -ip 49681⤵PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\A6XF.exeFilesize
159KB
MD5b13a4bddff058d6c9c44d62ecf492563
SHA1dcf173cf7a9ae1c9b28c92a13bca0b619dee3511
SHA256ff90f644a5d0af130cf8d61d0908447a8953d3be58c0ecd8b23f03534df30e4c
SHA5127c8611fd762dbd1b77788dc0950323adf751a1a881b855c8b8cf132f4b3515479c56789b1360a028d5704426f37fb4610effb79824c0bc0ea85f2a3d7c638a90
-
memory/696-0-0x0000000000A70000-0x0000000000AE2000-memory.dmpFilesize
456KB
-
memory/696-1-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/696-12-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4968-11-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4968-20-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB