Analysis Overview
SHA256
71ea59cbedf3c80b6e47bcd746463de8d82b650e0666183a3bd47bf1b2633378
Threat Level: Known bad
The file [Hentai JOI] MrsNuzuki Patreon 2023.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 05:54
Reported
2023-12-25 05:57
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Mars Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe
"C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moscow-post.com | udp |
| RU | 185.71.67.60:80 | moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.com | udp |
| RU | 185.71.67.60:80 | www.moscow-post.com | tcp |
| US | 8.8.8.8:53 | www.moscow-post.su | udp |
| RU | 185.71.67.60:80 | www.moscow-post.su | tcp |
Files
memory/1068-0-0x00000000013A0000-0x0000000001416000-memory.dmp
memory/1068-1-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/1068-2-0x0000000000B50000-0x0000000000B90000-memory.dmp
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe
| MD5 | e1a63920912a17d77ba4661d309b835f |
| SHA1 | 500e7d02ec258ac0b82aabc49236f5e373173b61 |
| SHA256 | ed054537934e1ed7698219315982213ae145985ecb1b40a0dc1a19b4108de7d0 |
| SHA512 | c6ea5e0bb4f25b2a2e9d9b5eabeb2a03b7145c434df77f31fb2b23b86d1a717026cf868e8ee7a556a9aac3aaeffdae522e9b54411b750353ac433a4c194ede3c |
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe
| MD5 | f01befc15bb2e0a9f54e427731e13ec1 |
| SHA1 | a0f32f1c63687fd678ac8ba9161cc345f809606f |
| SHA256 | d71f655ba364e807a234adf290ad48910c9bad749998ba512d72fca5777ce6a0 |
| SHA512 | 1648f12b2eed120e29e9fba1bc8a59ae8faa077336a33562de32fc5e5100d83bf574a858ba6f2aa62cce6aeb5c513c8dc3f69e2394bb6fc0618d1f07dcc2d9e9 |
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe
| MD5 | ccbede8d2869535347316a479f0b8095 |
| SHA1 | 1dd0e7574972260c77ca90638950d83c7b00d8f2 |
| SHA256 | afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179 |
| SHA512 | 9a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456 |
memory/1068-13-0x0000000000AB0000-0x0000000000AED000-memory.dmp
memory/1068-11-0x0000000000AB0000-0x0000000000AED000-memory.dmp
memory/1068-15-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2056-14-0x0000000000400000-0x000000000043D000-memory.dmp
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\T3YLJIMS.exe
| MD5 | c138cc7d4791df2d9930f063dfaccdc8 |
| SHA1 | 91baab622ac9dbaafff064c27281cf48ed6bee38 |
| SHA256 | c4266efc851f47068fa6afda4726e88ef55ace22f222f71d80fef8abcc22b9a8 |
| SHA512 | a572687fd1082c8601e481a51ac6bdd426cbc393789eee3a7a0a3996bff66dd15f3c98ec2826726239be6b66f6f81c07c17b2e030e3efd2131ac9718fcb5e91f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 05:54
Reported
2023-12-25 05:57
Platform
win10v2004-20231215-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe
"C:\Users\Admin\AppData\Local\Temp\[Hentai JOI] MrsNuzuki Patreon 2023.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 992
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.32:80 | tcp | |
| GB | 88.221.134.32:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.32:80 | tcp | |
| GB | 88.221.134.32:80 | tcp | |
| GB | 88.221.134.32:80 | tcp | |
| GB | 88.221.134.32:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.32:80 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| GB | 88.221.134.32:80 | tcp | |
| GB | 88.221.134.32:80 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.217:80 | tcp |
Files
memory/1648-2-0x0000000005320000-0x0000000005330000-memory.dmp
memory/1648-0-0x0000000000910000-0x0000000000986000-memory.dmp
memory/1648-1-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1648-3-0x0000000075060000-0x0000000075810000-memory.dmp