Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 09:48
Static task
static1
Behavioral task
behavioral1
Sample
l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
Resource
win10v2004-20231222-en
General
-
Target
l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe
-
Size
13.4MB
-
MD5
6e08d023664e3f4e835ec3ec198b883a
-
SHA1
43f2f3321a51f1ca308af891d2e1dbaaee48b045
-
SHA256
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad
-
SHA512
41d44ed76ecda43eab891a2e07cb43481478c39797e44ed017654a8bca346b90bfcf4f444532d8e9765173c2e9b26d5f524fe42ec9a7830230fedbe21f9e0ec1
-
SSDEEP
12288:bu5DqC9/n1D0jAV8eCeoIl1TroJMExsi+vakV7tbQ3KtwU:buDXVsUThTFyJm
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
WM0OJO.exepid process 2932 WM0OJO.exe -
Loads dropped DLL 2 IoCs
Processes:
l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exepid process 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2612 2932 WerFault.exe WM0OJO.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exedescription pid process target process PID 2232 wrote to memory of 2932 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe WM0OJO.exe PID 2232 wrote to memory of 2932 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe WM0OJO.exe PID 2232 wrote to memory of 2932 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe WM0OJO.exe PID 2232 wrote to memory of 2932 2232 l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe WM0OJO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"C:\Users\Admin\AppData\Local\Temp\l81rhzIPTizNWD6pnZPRSFEDal16Xy1T.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 8003⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exeFilesize
4KB
MD5eb0680504d3ca22008b08327a8ce09e3
SHA147b07970c240192169eac937472f751f1fd9e0e3
SHA256ebb307a6e265896dd577b4c3d4b63ccbf80bf8110f26a3fc187d2ce5a8791d0d
SHA512193ebf150b55c6bee9546ca156e9922154b05a38a72745fb4745ab7d5a070ea70ecb7e38ebefce734a0a5d6ae6b39cfa9d421fa0d0e8a8408d81edc5ec403433
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exeFilesize
40KB
MD5d8b98e538a7ad708e9893690f7252dda
SHA108926028284abc88850b64f88204dccd904c55c8
SHA256e1518570b9e396a706e70e696df42b136152a3300a9b81c3db3776a170d0bb39
SHA5125139b442f57f09e03d9f64aa3749633f55ec2f8519d91ff4a422f675d90f1d8adcc6d5414913ab76557dbff933e7b7e86a4de819cb76a79c8b73b125f563e644
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exeFilesize
24KB
MD52b782fa3b96d1f18854bdeb7a27ed072
SHA114f3d5bdcf8b6ece779080ec117f42f61adc70d0
SHA256d713131c5f5e891e65c017bbcb170e4e8d11eb378fcbfad2b5e756cfea96ff21
SHA51221f0d40abde26c3c5145db8c32f496524d94dd1caea97c830d80462fbdb0053be641de8aa91aa98ed4ff1028c6ed0d0d59222cf04105c67f6783c7d4aea82430
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exeFilesize
1KB
MD5353dabf9e73014ad17d3c4378b48d19e
SHA1d42a1496d8c4bc2132cb171f197cc0de7e069aa6
SHA2567320fcdbb7d6ea774b5c205d641540d6f6004dfc2d32e3c633aedd791709678c
SHA512de4436c05e20b3cfb5ca08f6bac180772aed3597cabfd0a0da684193dcf25f86a0d75d42efa3bcc1c5a55a2912ab41000089be71b135d473776cf06925be8a9a
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\WM0OJO.exeFilesize
31KB
MD59f40bba758dc19efb74aee4e523bf8e7
SHA1bc373de4b456bf1747967dd20795f852e6d391a0
SHA256533e61db7deeffa08935680a558d48a34d74326047ec045aaf00a77b9e432781
SHA512af5ee8576938638b121678e69734198a2873d651dd71916768f4e0f15230c2828b09559103ff8b43e4b4d1ce9de212199c9cefa3f795f6d584742af17a6aeb3d
-
memory/2232-0-0x0000000000E30000-0x0000000000EB2000-memory.dmpFilesize
520KB
-
memory/2232-1-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2232-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmpFilesize
256KB
-
memory/2232-13-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2932-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB