Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 22:17
Static task
static1
Behavioral task
behavioral1
Sample
360TS_Setup_Mini.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
360TS_Setup_Mini.exe
Resource
win10v2004-20240226-en
General
-
Target
360TS_Setup_Mini.exe
-
Size
2.1MB
-
MD5
33b96fcceb00475b31415e2a2fe17ac5
-
SHA1
b9412d4157d27757d173838e702044a270fc5c8d
-
SHA256
24adb4992ad63d101916088a48eaeb5f62a7a1ef35a28a02c0d34d0fab51e910
-
SHA512
1986c7951f0892f3c0a582bff8c5c7a92a146e84aeaa9030082e2bfaf159e01f349b759bbf48fa6d0e78a9edb20731f07fd4a374930f127ba817eeae96893c94
-
SSDEEP
12288:4dlcbU3ucnv02SS8M9zNYhZB2/FoooEeBHoUojP:4vDb928tFWB4P
Malware Config
Extracted
marsstealer
Default
kenesrakishev.net/wp-includes/pomo/po.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
360TS_Setup_Mini.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 360TS_Setup_Mini.exe -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 4964 .exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2580 4964 WerFault.exe .exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
360TS_Setup_Mini.exedescription pid process target process PID 3508 wrote to memory of 4964 3508 360TS_Setup_Mini.exe .exe PID 3508 wrote to memory of 4964 3508 360TS_Setup_Mini.exe .exe PID 3508 wrote to memory of 4964 3508 360TS_Setup_Mini.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 18443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4964 -ip 49641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
159KB
MD5a189002dc2c26fe21a7d25d171e71699
SHA1ee96ca8dfd8fa8e04754936b5a8205ed68869fef
SHA25626838d9cf197e16a55066ad6fa480d510f249e587143c232cd2176f3f3785b67
SHA51200ebc62424e78aef56ed4b0e94ae2b924185e8dfe61e2eb982e93ebec371f71719f7be59e687e0f233eb84de88e98086ce211e4b6c5bd83106d1e6ff0b970321
-
memory/3508-0-0x0000000000EF0000-0x0000000000F98000-memory.dmpFilesize
672KB
-
memory/3508-1-0x00000000752D0000-0x0000000075A80000-memory.dmpFilesize
7.7MB
-
memory/3508-12-0x00000000752D0000-0x0000000075A80000-memory.dmpFilesize
7.7MB
-
memory/4964-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4964-20-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB