Analysis
-
max time kernel
128s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 09:33
Static task
static1
Behavioral task
behavioral1
Sample
ARK_Trainer_v0.9.9.9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ARK_Trainer_v0.9.9.9.exe
Resource
win10v2004-20231215-en
General
-
Target
ARK_Trainer_v0.9.9.9.exe
-
Size
8.7MB
-
MD5
185eb9ebbb379bf2b5dd37e5ed92eee1
-
SHA1
d9da98bcb2259cb1da248267d1568c3cec591fae
-
SHA256
21a174a42902e4e830e224ea8943c76f1a0730edafa280a99b09b5597c96af95
-
SHA512
45e9cbefef733d17c807e7f316f8be3f464c64008356eaa198802845f450b94f09f8cd2a529941ac57f4a78d5e5c98779d0900d23840ed865859e065ad1a56cc
-
SSDEEP
12288:FSooBq+S++WsHX+sFICSPSrmjwoCah2mVZ6B7AnebCaLvi4mWY:NYN+SPYK9neSW
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
M4YI91.exepid process 2592 M4YI91.exe -
Loads dropped DLL 5 IoCs
Processes:
ARK_Trainer_v0.9.9.9.exeWerFault.exepid process 2596 ARK_Trainer_v0.9.9.9.exe 2596 ARK_Trainer_v0.9.9.9.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 812 2592 WerFault.exe M4YI91.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ARK_Trainer_v0.9.9.9.exeM4YI91.exedescription pid process target process PID 2596 wrote to memory of 2592 2596 ARK_Trainer_v0.9.9.9.exe M4YI91.exe PID 2596 wrote to memory of 2592 2596 ARK_Trainer_v0.9.9.9.exe M4YI91.exe PID 2596 wrote to memory of 2592 2596 ARK_Trainer_v0.9.9.9.exe M4YI91.exe PID 2596 wrote to memory of 2592 2596 ARK_Trainer_v0.9.9.9.exe M4YI91.exe PID 2592 wrote to memory of 812 2592 M4YI91.exe WerFault.exe PID 2592 wrote to memory of 812 2592 M4YI91.exe WerFault.exe PID 2592 wrote to memory of 812 2592 M4YI91.exe WerFault.exe PID 2592 wrote to memory of 812 2592 M4YI91.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe"C:\Users\Admin\AppData\Local\Temp\ARK_Trainer_v0.9.9.9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\M4YI91.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\M4YI91.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 8163⤵
- Loads dropped DLL
- Program crash
PID:812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\M4YI91.exeFilesize
159KB
MD580ffae827667bd2a86cc1d1b17745ba3
SHA1dae012b46c61ce189319b7d04a7d405db3f733f2
SHA256dd9285cabf5ff86f34600c4b947c5cb2d442fed6391b14b52c6f0c94c8fff276
SHA5124ac4ecbd086bd340879676f2c7d3d83b684f0c3ba688dc9a289910c531b1d90ad67c34fc799c51a65c1339d52533aacaed117eedd847fa024232b882908c9442
-
memory/2592-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2596-0-0x0000000000880000-0x000000000090E000-memory.dmpFilesize
568KB
-
memory/2596-1-0x0000000074D70000-0x000000007545E000-memory.dmpFilesize
6.9MB
-
memory/2596-2-0x00000000049F0000-0x0000000004A30000-memory.dmpFilesize
256KB
-
memory/2596-11-0x00000000044E0000-0x000000000451D000-memory.dmpFilesize
244KB
-
memory/2596-13-0x00000000044E0000-0x000000000451D000-memory.dmpFilesize
244KB
-
memory/2596-15-0x0000000074D70000-0x000000007545E000-memory.dmpFilesize
6.9MB