Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
Resource
win10v2004-20231215-en
General
-
Target
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
-
Size
433KB
-
MD5
40cf5b7e5c505da78a7f66d2950effbf
-
SHA1
abf961c5b9fae57411a195a00b4c7093d2fe0bc4
-
SHA256
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48
-
SHA512
08cbfc073c2d0f63a9b2711a81dd30809cb87eb2310ffd5b2a582a1e9ca0ebd5956093e83453310cba25a403aa28bf7cfcb3725a017188d48e66cccccb190bc5
-
SSDEEP
12288:pyVG1u73Do/eGm5uRWlgfS7BCag7MJQIGhJNsx61V0wrY4FS9:IGS6WRN+JGxS
Malware Config
Extracted
marsstealer
Default
www.moscow-post.com/wp-content/plugins/toocreate/tuzerfd.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe -
Executes dropped EXE 1 IoCs
Processes:
IOWU.exepid process 1480 IOWU.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2744 1480 WerFault.exe IOWU.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exedescription pid process target process PID 1172 wrote to memory of 1480 1172 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe IOWU.exe PID 1172 wrote to memory of 1480 1172 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe IOWU.exe PID 1172 wrote to memory of 1480 1172 911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe IOWU.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe"2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 14123⤵
- Program crash
PID:2744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 14801⤵PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exeFilesize
159KB
MD553eb0bcc17ccf65660a7266e3287ebd6
SHA1c4f2201da904be4882a104d6a291f70aebefb0a6
SHA2567a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1
SHA5122c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa
-
memory/1172-0-0x0000000000800000-0x0000000000872000-memory.dmpFilesize
456KB
-
memory/1172-1-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/1172-2-0x00000000052F0000-0x0000000005300000-memory.dmpFilesize
64KB
-
memory/1172-13-0x0000000074E60000-0x0000000075610000-memory.dmpFilesize
7.7MB
-
memory/1480-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1480-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB