Analysis
-
max time kernel
118s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-12-2023 02:06
Static task
static1
Behavioral task
behavioral1
Sample
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
Resource
win10v2004-20231215-en
General
-
Target
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe
-
Size
5.7MB
-
MD5
efe42e097392ba07bdbc1b30ed12f46f
-
SHA1
6e67c0ce64661b8f12c453d182fadcf9b81225b8
-
SHA256
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af
-
SHA512
87147c5b0a5016d5a6f36e980cf294880a78ca3b3491ca1e90bd5664f3d6405da4259ae486544f7b355cf6e29eeb80273336b9f2fbb5928730eda3584b8a1005
-
SSDEEP
12288:MPZV/cS4H8+Gc8DWKwJa8JdrBoyvCRH96m2iii2Tc:MRV2iWih
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
F1E8.exepid process 2192 F1E8.exe -
Loads dropped DLL 5 IoCs
Processes:
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exeWerFault.exepid process 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe 2916 WerFault.exe 2916 WerFault.exe 2916 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2916 2192 WerFault.exe F1E8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exeF1E8.exedescription pid process target process PID 1764 wrote to memory of 2192 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe F1E8.exe PID 1764 wrote to memory of 2192 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe F1E8.exe PID 1764 wrote to memory of 2192 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe F1E8.exe PID 1764 wrote to memory of 2192 1764 9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe F1E8.exe PID 2192 wrote to memory of 2916 2192 F1E8.exe WerFault.exe PID 2192 wrote to memory of 2916 2192 F1E8.exe WerFault.exe PID 2192 wrote to memory of 2916 2192 F1E8.exe WerFault.exe PID 2192 wrote to memory of 2916 2192 F1E8.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe"C:\Users\Admin\AppData\Local\Temp\9d15283240ff79899aeb0f2866c51b75d953e5c04a8069397734a3cb6aef87af.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Identities\F1E8.exe"C:\Users\Admin\AppData\Roaming\Identities\F1E8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 6403⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Identities\F1E8.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Identities\F1E8.exeFilesize
98KB
MD513fe248a6a838a7a4161371922bd0f1c
SHA11fda5b3ec65694dea011c36142ffe758460fa6ff
SHA256fbb62da950f9360bbba0be9d0c69d5589a32a804ba1cab6be48b2385a3df40ce
SHA512bdd468354399154d57df93aeb853fe200b2632fb6255e86af3dd0ecbae5848caf1b428f6e68330280ca88134e075e7ccabe063ff5575411d83dd29f246a9650b
-
\Users\Admin\AppData\Roaming\Identities\F1E8.exeFilesize
159KB
MD5ccbede8d2869535347316a479f0b8095
SHA11dd0e7574972260c77ca90638950d83c7b00d8f2
SHA256afae663cab910a67e7fb519797ff385926b77ee59fa0e96e1853318146d2e179
SHA5129a0de846ced51215948a16300aec8aeb7cf0ef5c0005a3cb661fc27e85b5d25b3b3278e7c91fbedc9d0a1ec686fdcd8ff07f35b39931a7c28c8b2139dabf4456
-
memory/1764-0-0x0000000000330000-0x00000000003A4000-memory.dmpFilesize
464KB
-
memory/1764-1-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/1764-2-0x00000000047A0000-0x00000000047E0000-memory.dmpFilesize
256KB
-
memory/1764-12-0x00000000005C0000-0x00000000005FD000-memory.dmpFilesize
244KB
-
memory/1764-15-0x0000000074470000-0x0000000074B5E000-memory.dmpFilesize
6.9MB
-
memory/1764-7-0x00000000005C0000-0x00000000005FD000-memory.dmpFilesize
244KB
-
memory/2192-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB