Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
Resource
win10v2004-20231215-en
General
-
Target
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
-
Size
433KB
-
MD5
40cf5b7e5c505da78a7f66d2950effbf
-
SHA1
abf961c5b9fae57411a195a00b4c7093d2fe0bc4
-
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
-
SHA512
08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
-
SSDEEP
12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
.exepid process 868 .exe -
Loads dropped DLL 5 IoCs
Processes:
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exeWerFault.exepid process 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2660 868 WerFault.exe .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe.exedescription pid process target process PID 2184 wrote to memory of 868 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe .exe PID 2184 wrote to memory of 868 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe .exe PID 2184 wrote to memory of 868 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe .exe PID 2184 wrote to memory of 868 2184 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe .exe PID 868 wrote to memory of 2660 868 .exe WerFault.exe PID 868 wrote to memory of 2660 868 .exe WerFault.exe PID 868 wrote to memory of 2660 868 .exe WerFault.exe PID 868 wrote to memory of 2660 868 .exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\Adobe\.exe"C:\Users\Admin\AppData\Roaming\Adobe\.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 8003⤵
- Loads dropped DLL
- Program crash
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Adobe\.exeFilesize
159KB
MD553eb0bcc17ccf65660a7266e3287ebd6
SHA1c4f2201da904be4882a104d6a291f70aebefb0a6
SHA2567a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1
SHA5122c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa
-
memory/868-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2184-0-0x00000000000F0000-0x0000000000162000-memory.dmpFilesize
456KB
-
memory/2184-1-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/2184-2-0x0000000004D70000-0x0000000004DB0000-memory.dmpFilesize
256KB
-
memory/2184-7-0x0000000000850000-0x000000000088D000-memory.dmpFilesize
244KB
-
memory/2184-13-0x0000000000850000-0x000000000088D000-memory.dmpFilesize
244KB
-
memory/2184-15-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB