Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 04:07
Static task
static1
Behavioral task
behavioral1
Sample
efe42e097392ba07bdbc1b30ed12f46f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
efe42e097392ba07bdbc1b30ed12f46f.exe
Resource
win10v2004-20231215-en
General
-
Target
efe42e097392ba07bdbc1b30ed12f46f.exe
-
Size
5.7MB
-
MD5
efe42e097392ba07bdbc1b30ed12f46f
-
SHA1
6e67c0ce64661b8f12c453d182fadcf9b81225b8
-
SHA256
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af
-
SHA512
87147c5b0a5016d5a6f36e980cf294880a78ca3b3491ca1e90bd5664f3d6405da4259ae486544f7b355cf6e29eeb80273336b9f2fbb5928730eda3584b8a1005
-
SSDEEP
12288:MPZV/cS4H8+Gc8DWKwJa8JdrBoyvCRH96m2iii2Tc:MRV2iWih
Malware Config
Extracted
marsstealer
Default
moscow-post.com/log/loger.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efe42e097392ba07bdbc1b30ed12f46f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation efe42e097392ba07bdbc1b30ed12f46f.exe -
Executes dropped EXE 1 IoCs
Processes:
K8H01RJTIRT8WK.exepid process 1136 K8H01RJTIRT8WK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1744 1136 WerFault.exe K8H01RJTIRT8WK.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
efe42e097392ba07bdbc1b30ed12f46f.exedescription pid process target process PID 2804 wrote to memory of 1136 2804 efe42e097392ba07bdbc1b30ed12f46f.exe K8H01RJTIRT8WK.exe PID 2804 wrote to memory of 1136 2804 efe42e097392ba07bdbc1b30ed12f46f.exe K8H01RJTIRT8WK.exe PID 2804 wrote to memory of 1136 2804 efe42e097392ba07bdbc1b30ed12f46f.exe K8H01RJTIRT8WK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe"C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe"C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe"2⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 13723⤵
- Program crash
PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1136 -ip 11361⤵PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOShared\K8H01RJTIRT8WK.exeFilesize
159KB
MD5ccbede8d2869535347316a479f0b8095
SHA11dd0e7574972260c77ca90638950d83c7b00d8f2
SHA256afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179
SHA5129a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456
-
memory/1136-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1136-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2804-1-0x0000000074AB0000-0x0000000075260000-memory.dmpFilesize
7.7MB
-
memory/2804-0-0x0000000000790000-0x0000000000804000-memory.dmpFilesize
464KB
-
memory/2804-2-0x00000000051B0000-0x00000000051C0000-memory.dmpFilesize
64KB
-
memory/2804-13-0x0000000074AB0000-0x0000000075260000-memory.dmpFilesize
7.7MB