Analysis
-
max time kernel
0s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 02:10
Static task
static1
Behavioral task
behavioral1
Sample
YoudaoDict.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
YoudaoDict.exe
Resource
win10v2004-20231215-en
General
-
Target
YoudaoDict.exe
-
Size
6.8MB
-
MD5
ff3d9c5dcde804a90e862de9c1d32a8c
-
SHA1
04b0da40346d661a11e9e899daec104ee77c6606
-
SHA256
a238bd522702802eb2a2b71b4b00a1a1553b1c2fff0d8b9e50b13e999cabbdf3
-
SHA512
288e716dd70bedd1cebdc7582f44d969050de9ffe387ae0b9363937fc41b62eedb1faba1fd0cead9a05ba96a880df4d00727e60cde2606a16849e8a5cf266ac3
-
SSDEEP
12288:IPvAXg30gk3yrkb+/nCSnilwUOSFaoAiTI2MHPwrQKUs6:IgpbOROQ3s6
Malware Config
Extracted
marsstealer
Default
www.moscow-post.ru/ryuka/grocktack/fdzeiw.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
YoudaoDict.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation YoudaoDict.exe -
Executes dropped EXE 1 IoCs
Processes:
DIKKC5OC.exepid process 1440 DIKKC5OC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2980 1440 WerFault.exe DIKKC5OC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
YoudaoDict.exedescription pid process target process PID 3052 wrote to memory of 1440 3052 YoudaoDict.exe DIKKC5OC.exe PID 3052 wrote to memory of 1440 3052 YoudaoDict.exe DIKKC5OC.exe PID 3052 wrote to memory of 1440 3052 YoudaoDict.exe DIKKC5OC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe"C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DIKKC5OC.exe"C:\ProgramData\DIKKC5OC.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 14003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1440 -ip 14401⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DIKKC5OC.exeFilesize
159KB
MD5355142538822114c3357d73d35769ff2
SHA185d6d7b919f60c39cc8a3d65bf574877c3a7590f
SHA2564dc9b6823e021a19ff259c5f0fcc2a023b0dea26adde9e08f1278ba103fdd3cc
SHA5129099f85fe484df4678e106373630427b8578d73bcea1bf7ba81eb9be4578d607acc50fa1ba97bd063edc1ed9bb27328552aabf2ca3dc0837841f348ceb7689e4
-
C:\ProgramData\DIKKC5OC.exeFilesize
107KB
MD5578206cd1b1b036cb116a1dcdd798e10
SHA1bb351bfe9c103a9083f35e63ce56fc5f7e0491c5
SHA2569348cc2a03eb994a614cf5bb0b4160ca86deb2ca0168267a01de2edeb96ed7ec
SHA512de2eeb14ce406ac668070687e785dfe154379da30f91295fe22e43abc7e7552ca6a0da48d6436c7abf772165b4d5ce71893548fe7e1b36fd917342374d7bcfbd
-
memory/1440-11-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1440-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3052-1-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/3052-0-0x0000000000480000-0x0000000000508000-memory.dmpFilesize
544KB
-
memory/3052-12-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB