Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 09:11
Static task
static1
Behavioral task
behavioral1
Sample
Valentina Studio Pro v13.7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Valentina Studio Pro v13.7.exe
Resource
win10v2004-20231215-en
General
-
Target
Valentina Studio Pro v13.7.exe
-
Size
11.7MB
-
MD5
6c23d52006da52904f755c8268d29ffc
-
SHA1
8d770ad326a02692e7a223749128d402af94e1a7
-
SHA256
d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd
-
SHA512
ae64700be9120d3b4e8b1dc0a94ad4131726d72bd92433461e2af505df67e89bf1e3d62d1b47dd6b632dc087dcea5d15ddcad03fa3956379efc854d0d72bd9b3
-
SSDEEP
12288:Fkbo4c5w0lRq+x83dhmNml3pPw1WIzWTbel9BfrmjsN/pf7Rm:3gqbsmVBfyoN/y
Malware Config
Extracted
marsstealer
Default
www.moscow-post.ru/bark/wpadmin/admin.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Valentina Studio Pro v13.7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation Valentina Studio Pro v13.7.exe -
Executes dropped EXE 1 IoCs
Processes:
25BGMDG1FUA.exepid process 1364 25BGMDG1FUA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4836 1364 WerFault.exe 25BGMDG1FUA.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Valentina Studio Pro v13.7.exedescription pid process target process PID 2040 wrote to memory of 1364 2040 Valentina Studio Pro v13.7.exe 25BGMDG1FUA.exe PID 2040 wrote to memory of 1364 2040 Valentina Studio Pro v13.7.exe 25BGMDG1FUA.exe PID 2040 wrote to memory of 1364 2040 Valentina Studio Pro v13.7.exe 25BGMDG1FUA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valentina Studio Pro v13.7.exe"C:\Users\Admin\AppData\Local\Temp\Valentina Studio Pro v13.7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\25BGMDG1FUA.exe"C:\ProgramData\25BGMDG1FUA.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 13603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1364 -ip 13641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\25BGMDG1FUA.exeFilesize
159KB
MD5e639201bf0d332f8965649ec7de96c40
SHA16047898d098c27c9e24e9e21310ecd2fd6a7dc20
SHA256fcecfe186349fb25b733b526b9259dec1bd3a3bd94a7cd5015a3b890e371f7fb
SHA51273d010ce917f0827bb1266a1178c026aa6602675788163c38dd9d46ce9f558b855c2ad5bfd70db84e8b58deb241c64050f2dc472c532dbd2453155e569a24b45
-
memory/1364-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1364-15-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2040-0-0x0000000074A10000-0x00000000751C0000-memory.dmpFilesize
7.7MB
-
memory/2040-1-0x0000000000B10000-0x0000000000BBA000-memory.dmpFilesize
680KB
-
memory/2040-2-0x0000000005570000-0x0000000005580000-memory.dmpFilesize
64KB
-
memory/2040-13-0x0000000074A10000-0x00000000751C0000-memory.dmpFilesize
7.7MB