Analysis Overview
SHA256
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af
Threat Level: Known bad
The file efe42e097392ba07bdbc1b30ed12f46f.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 04:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 04:07
Reported
2023-12-25 04:09
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe
"C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe"
C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe
"C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moscow-post.com | udp |
| RU | 185.71.67.60:80 | moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/2352-0-0x00000000009D0000-0x0000000000A44000-memory.dmp
memory/2352-1-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2352-2-0x00000000041D0000-0x0000000004210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe
| MD5 | 202191816957a39fc2b84b6c85acfeae |
| SHA1 | f80f8648760994d71a5851823dd07167f0d57717 |
| SHA256 | a7f7dbcd70ed67b1f8a85b4cd5c807c7813e024c0539705d84c2c7f66b978002 |
| SHA512 | 44a7071ffac61a0bb27c8c9697a2d6a14216801f5405ebea17a20c988b65ae4c8b592ebb207a6f3610da010795942ee00510c5e37db76cbd5ca87cd4a7c2a0f4 |
memory/2208-14-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2352-13-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2352-11-0x0000000004140000-0x000000000417D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Low\0RTCU.exe
| MD5 | ccbede8d2869535347316a479f0b8095 |
| SHA1 | 1dd0e7574972260c77ca90638950d83c7b00d8f2 |
| SHA256 | afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179 |
| SHA512 | 9a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 04:07
Reported
2023-12-25 04:09
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Mars Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe |
| PID 2804 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe |
| PID 2804 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe | C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe
"C:\Users\Admin\AppData\Local\Temp\efe42e097392ba07bdbc1b30ed12f46f.exe"
C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe
"C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1136 -ip 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1372
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moscow-post.com | udp |
| RU | 185.71.67.60:80 | moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.67.71.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/2804-1-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/2804-0-0x0000000000790000-0x0000000000804000-memory.dmp
memory/2804-2-0x00000000051B0000-0x00000000051C0000-memory.dmp
C:\ProgramData\USOShared\K8H01RJTIRT8WK.exe
| MD5 | ccbede8d2869535347316a479f0b8095 |
| SHA1 | 1dd0e7574972260c77ca90638950d83c7b00d8f2 |
| SHA256 | afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179 |
| SHA512 | 9a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456 |
memory/1136-12-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2804-13-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/1136-15-0x0000000000400000-0x000000000043D000-memory.dmp