Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 18:06
Static task
static1
Behavioral task
behavioral1
Sample
UndertaleTrainer.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
UndertaleTrainer.exe
Resource
win10v2004-20231215-en
General
-
Target
UndertaleTrainer.exe
-
Size
3.8MB
-
MD5
8669e8f71fd06872bbc1d2399c33d7b1
-
SHA1
6cdcbc65e5b4d30c3e2e9e3e2c7ad4ed8373bcc5
-
SHA256
b7d757263aac8d89154f7962550b795cca99e2df080d8bfdfbc3582b1a0d8d43
-
SHA512
b353fb22d846994f6c09258cccf63f92ae9db14e4dc5965bc67c7c539bdc8f51e599c7bb70a6668d8d6aeacb1551e333ae70630e1ac58f21c49032052dffa847
-
SSDEEP
12288:zNS9x1JXkDAoqsTAoFhb6lRZu4W1K8waHyu2Um4ytvqMNVw2LW86B7SiU:zeAzW4f
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
PVZQIE.exepid process 2784 PVZQIE.exe -
Loads dropped DLL 5 IoCs
Processes:
UndertaleTrainer.exeWerFault.exepid process 2948 UndertaleTrainer.exe 2948 UndertaleTrainer.exe 1680 WerFault.exe 1680 WerFault.exe 1680 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1680 2784 WerFault.exe PVZQIE.exe -
Modifies registry class 1 IoCs
Processes:
PVZQIE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\MuiCache PVZQIE.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
UndertaleTrainer.exePVZQIE.exedescription pid process target process PID 2948 wrote to memory of 2784 2948 UndertaleTrainer.exe PVZQIE.exe PID 2948 wrote to memory of 2784 2948 UndertaleTrainer.exe PVZQIE.exe PID 2948 wrote to memory of 2784 2948 UndertaleTrainer.exe PVZQIE.exe PID 2948 wrote to memory of 2784 2948 UndertaleTrainer.exe PVZQIE.exe PID 2784 wrote to memory of 1680 2784 PVZQIE.exe WerFault.exe PID 2784 wrote to memory of 1680 2784 PVZQIE.exe WerFault.exe PID 2784 wrote to memory of 1680 2784 PVZQIE.exe WerFault.exe PID 2784 wrote to memory of 1680 2784 PVZQIE.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe"C:\Users\Admin\AppData\Local\Temp\UndertaleTrainer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe"C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 5643⤵
- Loads dropped DLL
- Program crash
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD502f496531fe2a8531f1f3bbcc4ca83dd
SHA1d0f3f553e26fe892d9f2959f261cbc666726edf6
SHA256ef0060913b0b9889c4f29c8492a9fbad10b56dde021dff49407a2e1d38bb246a
SHA5129c7c292b4a05cfec89e34597f3f216aee0eb6539fec4edd561919e1148e37e9228291244005e43077daa36d1392bba60664294dc381965a8518c22e446ac3767
-
C:\Users\Admin\AppData\LocalLow\Temp\TarC395.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exeFilesize
159KB
MD5b13a4bddff058d6c9c44d62ecf492563
SHA1dcf173cf7a9ae1c9b28c92a13bca0b619dee3511
SHA256ff90f644a5d0af130cf8d61d0908447a8953d3be58c0ecd8b23f03534df30e4c
SHA5127c8611fd762dbd1b77788dc0950323adf751a1a881b855c8b8cf132f4b3515479c56789b1360a028d5704426f37fb4610effb79824c0bc0ea85f2a3d7c638a90
-
C:\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exeFilesize
92KB
MD58cc76969b76e6cd21e2962bf4ec38834
SHA100f9793e7b740c91b043a5bee65a2e62cf7611bf
SHA256b8acaa0830c9799d74fd1a78ce4e4051f2f85ffb1298f9d20eda63d21794173c
SHA512b9c0f88766977249a3f0fc56c22953a314210d4c7e7ef209bd0c97c0b2e1badcb8c3d6e4b5cad6d7626d4b7c65380456b2a3d549dff7766f8e11f09bf0d1d87f
-
\Users\Admin\AppData\Local\Temp\Low\PVZQIE.exeFilesize
140KB
MD526a438749e676718c9213208686053f1
SHA1e7916ca29fb1fdf459f8ec3a5b017c57cf168218
SHA25662297c5b3b1a5cbea2177daa053eb3594fd37357f3aa80b177b472cf9c49b8ff
SHA51298a4d1a1c67a59b9886c57bf4d69066fc388ecf6d18b2e3617767f625b4cf38f46eebd632b87b944a3bb53c8902d8a19d43266450a6d45f8b84d29a060028dd8
-
memory/2784-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2948-0-0x0000000000ED0000-0x0000000000F42000-memory.dmpFilesize
456KB
-
memory/2948-1-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/2948-13-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/2948-11-0x0000000000E60000-0x0000000000E9D000-memory.dmpFilesize
244KB