Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-12-2023 01:23
Static task
static1
Behavioral task
behavioral1
Sample
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe
Resource
win10v2004-20231215-en
General
-
Target
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe
-
Size
13.4MB
-
MD5
6e08d023664e3f4e835ec3ec198b883a
-
SHA1
43f2f3321a51f1ca308af891d2e1dbaaee48b045
-
SHA256
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad
-
SHA512
41d44ed76ecda43eab891a2e07cb43481478c39797e44ed017654a8bca346b90bfcf4f444532d8e9765173c2e9b26d5f524fe42ec9a7830230fedbe21f9e0ec1
-
SSDEEP
12288:bu5DqC9/n1D0jAV8eCeoIl1TroJMExsi+vakV7tbQ3KtwU:buDXVsUThTFyJm
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
YUSJMSMPGEMLF.exepid process 2416 YUSJMSMPGEMLF.exe -
Loads dropped DLL 5 IoCs
Processes:
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exeWerFault.exepid process 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2952 2416 WerFault.exe YUSJMSMPGEMLF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exeYUSJMSMPGEMLF.exedescription pid process target process PID 2500 wrote to memory of 2416 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe YUSJMSMPGEMLF.exe PID 2500 wrote to memory of 2416 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe YUSJMSMPGEMLF.exe PID 2500 wrote to memory of 2416 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe YUSJMSMPGEMLF.exe PID 2500 wrote to memory of 2416 2500 791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe YUSJMSMPGEMLF.exe PID 2416 wrote to memory of 2952 2416 YUSJMSMPGEMLF.exe WerFault.exe PID 2416 wrote to memory of 2952 2416 YUSJMSMPGEMLF.exe WerFault.exe PID 2416 wrote to memory of 2952 2416 YUSJMSMPGEMLF.exe WerFault.exe PID 2416 wrote to memory of 2952 2416 YUSJMSMPGEMLF.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe"C:\Users\Admin\AppData\Local\Temp\791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Start Menu\YUSJMSMPGEMLF.exe"C:\ProgramData\Start Menu\YUSJMSMPGEMLF.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 8163⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Microsoft\Windows\Start Menu\YUSJMSMPGEMLF.exeFilesize
92KB
MD570e3573f8dfa1850335423a21c5648de
SHA1b2d08897553dcc4dafaed402d048cdce785b14b7
SHA256024fb985e743c8a363a39357a35685251916b80b837bdc903a2adc150d488676
SHA5122b77716b7e77ab5c84977488d276e8553001336f65c7f6e1fd9ef6329f64b93bc130d773cc9652849454d13d26529b73ed10b0887a7005c2cd964b71d992dcc9
-
\ProgramData\Microsoft\Windows\Start Menu\YUSJMSMPGEMLF.exeFilesize
159KB
MD5a103174262d8c3fd501ffb95323c60b1
SHA1e40f0dd566ba3d50886d3f9e82bf2c108370d62b
SHA256bc65e75fcfee4ff9655005f8496f7c86feb892f0caec33c2208e8381cb967248
SHA512a023dd3997474d427d963a23ccbe7091fdda53d8fde1e1c43eb2e67090a27bd1b0f9eee08757993125cfe10683c38ab0db2194a5847ff51e39d636357c381da2
-
memory/2416-13-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2500-0-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB
-
memory/2500-1-0x00000000011E0000-0x0000000001262000-memory.dmpFilesize
520KB
-
memory/2500-2-0x0000000004E10000-0x0000000004E50000-memory.dmpFilesize
256KB
-
memory/2500-6-0x0000000000A50000-0x0000000000A8D000-memory.dmpFilesize
244KB
-
memory/2500-12-0x0000000000A50000-0x0000000000A8D000-memory.dmpFilesize
244KB
-
memory/2500-14-0x00000000747B0000-0x0000000074E9E000-memory.dmpFilesize
6.9MB