Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
YoudaoDictexe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
YoudaoDictexe.exe
Resource
win10v2004-20231215-en
General
-
Target
YoudaoDictexe.exe
-
Size
6.8MB
-
MD5
ff3d9c5dcde804a90e862de9c1d32a8c
-
SHA1
04b0da40346d661a11e9e899daec104ee77c6606
-
SHA256
a238bd522702802eb2a2b71b4b00a1a1553b1c2fff0d8b9e50b13e999cabbdf3
-
SHA512
288e716dd70bedd1cebdc7582f44d969050de9ffe387ae0b9363937fc41b62eedb1faba1fd0cead9a05ba96a880df4d00727e60cde2606a16849e8a5cf266ac3
-
SSDEEP
12288:IPvAXg30gk3yrkb+/nCSnilwUOSFaoAiTI2MHPwrQKUs6:IgpbOROQ3s6
Malware Config
Extracted
marsstealer
Default
www.moscow-post.ru/ryuka/grocktack/fdzeiw.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
YoudaoDictexe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation YoudaoDictexe.exe -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 4680 .exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5032 4680 WerFault.exe .exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
YoudaoDictexe.exedescription pid process target process PID 2168 wrote to memory of 4680 2168 YoudaoDictexe.exe .exe PID 2168 wrote to memory of 4680 2168 YoudaoDictexe.exe .exe PID 2168 wrote to memory of 4680 2168 YoudaoDictexe.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YoudaoDictexe.exe"C:\Users\Admin\AppData\Local\Temp\YoudaoDictexe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\.exe"C:\ProgramData\.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 13763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 46801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\.exeFilesize
159KB
MD5355142538822114c3357d73d35769ff2
SHA185d6d7b919f60c39cc8a3d65bf574877c3a7590f
SHA2564dc9b6823e021a19ff259c5f0fcc2a023b0dea26adde9e08f1278ba103fdd3cc
SHA5129099f85fe484df4678e106373630427b8578d73bcea1bf7ba81eb9be4578d607acc50fa1ba97bd063edc1ed9bb27328552aabf2ca3dc0837841f348ceb7689e4
-
memory/2168-1-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/2168-0-0x0000000000D60000-0x0000000000DE8000-memory.dmpFilesize
544KB
-
memory/2168-12-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/4680-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4680-14-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB