Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 04:02
Static task
static1
Behavioral task
behavioral1
Sample
The Summer Waifu.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
The Summer Waifu.exe
Resource
win10v2004-20231222-en
General
-
Target
The Summer Waifu.exe
-
Size
5.7MB
-
MD5
efe42e097392ba07bdbc1b30ed12f46f
-
SHA1
6e67c0ce64661b8f12c453d182fadcf9b81225b8
-
SHA256
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af
-
SHA512
87147c5b0a5016d5a6f36e980cf294880a78ca3b3491ca1e90bd5664f3d6405da4259ae486544f7b355cf6e29eeb80273336b9f2fbb5928730eda3584b8a1005
-
SSDEEP
12288:MPZV/cS4H8+Gc8DWKwJa8JdrBoyvCRH96m2iii2Tc:MRV2iWih
Malware Config
Extracted
marsstealer
Default
moscow-post.com/log/loger.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
The Summer Waifu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation The Summer Waifu.exe -
Executes dropped EXE 1 IoCs
Processes:
U54.exepid process 2248 U54.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 640 2248 WerFault.exe U54.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
The Summer Waifu.exedescription pid process target process PID 4956 wrote to memory of 2248 4956 The Summer Waifu.exe U54.exe PID 4956 wrote to memory of 2248 4956 The Summer Waifu.exe U54.exe PID 4956 wrote to memory of 2248 4956 The Summer Waifu.exe U54.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\The Summer Waifu.exe"C:\Users\Admin\AppData\Local\Temp\The Summer Waifu.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Roaming\Adobe\U54.exe"C:\Users\Admin\AppData\Roaming\Adobe\U54.exe"2⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 12163⤵
- Program crash
PID:640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2248 -ip 22481⤵PID:3240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\U54.exeFilesize
159KB
MD5ccbede8d2869535347316a479f0b8095
SHA11dd0e7574972260c77ca90638950d83c7b00d8f2
SHA256afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179
SHA5129a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456
-
memory/2248-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2248-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4956-0-0x0000000000390000-0x0000000000404000-memory.dmpFilesize
464KB
-
memory/4956-1-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB
-
memory/4956-2-0x0000000004F40000-0x0000000004F50000-memory.dmpFilesize
64KB
-
memory/4956-13-0x0000000074B40000-0x00000000752F0000-memory.dmpFilesize
7.7MB