Analysis Overview
SHA256
2036928122f63d2ce88ba94aa48f0e2e42af769d2731118e441b568fb7866182
Threat Level: Known bad
The file 40cf5b7e5c505da78a7f66d2950effbf.bin was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 01:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 01:21
Reported
2023-12-25 01:24
Platform
win7-20231215-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Mars Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Adobe\.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"
C:\Users\Admin\AppData\Roaming\Adobe\.exe
"C:\Users\Admin\AppData\Roaming\Adobe\.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 800
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/2184-0-0x00000000000F0000-0x0000000000162000-memory.dmp
memory/2184-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp
memory/2184-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp
\Users\Admin\AppData\Roaming\Adobe\.exe
| MD5 | 53eb0bcc17ccf65660a7266e3287ebd6 |
| SHA1 | c4f2201da904be4882a104d6a291f70aebefb0a6 |
| SHA256 | 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1 |
| SHA512 | 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa |
memory/2184-7-0x0000000000850000-0x000000000088D000-memory.dmp
memory/2184-13-0x0000000000850000-0x000000000088D000-memory.dmp
memory/868-14-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2184-15-0x00000000748A0000-0x0000000074F8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 01:21
Reported
2023-12-25 01:24
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Mars Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe |
| PID 1172 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe |
| PID 1172 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe | C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe
"C:\Users\Admin\AppData\Local\Temp\911221ce521f77139ecfa2a277c277aaee6bff7094d9c5b31b893a4b104dea48.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| US | 8.8.8.8:53 | 60.67.71.185.in-addr.arpa | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp |
Files
memory/1172-0-0x0000000000800000-0x0000000000872000-memory.dmp
memory/1172-1-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/1172-2-0x00000000052F0000-0x0000000005300000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\IOWU.exe
| MD5 | 53eb0bcc17ccf65660a7266e3287ebd6 |
| SHA1 | c4f2201da904be4882a104d6a291f70aebefb0a6 |
| SHA256 | 7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1 |
| SHA512 | 2c6e157e34721fdc1fb17db73423afbcda9c9c45d61376a220c353a9af73c8aa7237525b4a15d55864762fc07868ab2f71c801a87d0a2cd60cae0fb49c4fbbaa |
memory/1480-10-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1172-13-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/1480-15-0x0000000000400000-0x000000000043D000-memory.dmp