Overview

overview

10

Static

static

3

360TS_Setup_Mini.exe

windows7-x64

7

360TS_Setup_Mini.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    360TS_Setup_Mini.exe

  • Size

    2.1MB

  • MD5

    33b96fcceb00475b31415e2a2fe17ac5

  • SHA1

    b9412d4157d27757d173838e702044a270fc5c8d

  • SHA256

    24adb4992ad63d101916088a48eaeb5f62a7a1ef35a28a02c0d34d0fab51e910

  • SHA512

    1986c7951f0892f3c0a582bff8c5c7a92a146e84aeaa9030082e2bfaf159e01f349b759bbf48fa6d0e78a9edb20731f07fd4a374930f127ba817eeae96893c94

  • SSDEEP

    12288:4dlcbU3ucnv02SS8M9zNYhZB2/FoooEeBHoUojP:4vDb928tFWB4P

Score
10/10
marsstealerdefaultspywarestealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

kenesrakishev.net/wp-includes/pomo/po.php

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
    "C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Executes dropped EXE
      PID:4964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1844
        3⤵
        • Program crash
        PID:2580
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4964 -ip 4964
    1⤵
      PID:4408

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\.exe
      Filesize

      159KB

      MD5

      a189002dc2c26fe21a7d25d171e71699

      SHA1

      ee96ca8dfd8fa8e04754936b5a8205ed68869fef

      SHA256

      26838d9cf197e16a55066ad6fa480d510f249e587143c232cd2176f3f3785b67

      SHA512

      00ebc62424e78aef56ed4b0e94ae2b924185e8dfe61e2eb982e93ebec371f71719f7be59e687e0f233eb84de88e98086ce211e4b6c5bd83106d1e6ff0b970321

      Download Submit
    • memory/3508-0-0x0000000000EF0000-0x0000000000F98000-memory.dmp
      Filesize

      672KB

      Download
    • memory/3508-1-0x00000000752D0000-0x0000000075A80000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3508-12-0x00000000752D0000-0x0000000075A80000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4964-10-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/4964-20-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download