Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-04-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
COBRA election-notice.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
COBRA election-notice.pdf.exe
Resource
win10v2004-20240226-en
General
-
Target
COBRA election-notice.pdf.exe
-
Size
8.8MB
-
MD5
979d0840f1018723a0c2f1b38e053a87
-
SHA1
bc00bc18122b597d5484d05f6f1df694fa9f9f64
-
SHA256
17ad92c5d4b0707380de23f0dc97a7d50319d3f332be6a6d9cf30d239d49f744
-
SHA512
2f6c2f764e0a9e057c25e32911721f47872e76b2cb9320342b7c221d088dab95806fc2d4499fa4151a508dc3a6fc35966d55410b6d53851cc1a382ad7c775729
-
SSDEEP
12288:u7WDZ2e76xWryJabHBAWAzADGBUghdvfKKmWe4b3hZ1I/p1LBaYXK:V8IKLJZZ1I/pu
Malware Config
Extracted
marsstealer
Default
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 1 IoCs
Processes:
F5BQ3N.exepid process 2852 F5BQ3N.exe -
Loads dropped DLL 5 IoCs
Processes:
COBRA election-notice.pdf.exeWerFault.exepid process 1760 COBRA election-notice.pdf.exe 1760 COBRA election-notice.pdf.exe 820 WerFault.exe 820 WerFault.exe 820 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 820 2852 WerFault.exe F5BQ3N.exe -
Modifies registry class 1 IoCs
Processes:
F5BQ3N.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\Local Settings\MuiCache F5BQ3N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
COBRA election-notice.pdf.exeF5BQ3N.exedescription pid process target process PID 1760 wrote to memory of 2852 1760 COBRA election-notice.pdf.exe F5BQ3N.exe PID 1760 wrote to memory of 2852 1760 COBRA election-notice.pdf.exe F5BQ3N.exe PID 1760 wrote to memory of 2852 1760 COBRA election-notice.pdf.exe F5BQ3N.exe PID 1760 wrote to memory of 2852 1760 COBRA election-notice.pdf.exe F5BQ3N.exe PID 2852 wrote to memory of 820 2852 F5BQ3N.exe WerFault.exe PID 2852 wrote to memory of 820 2852 F5BQ3N.exe WerFault.exe PID 2852 wrote to memory of 820 2852 F5BQ3N.exe WerFault.exe PID 2852 wrote to memory of 820 2852 F5BQ3N.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COBRA election-notice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\COBRA election-notice.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\Low\F5BQ3N.exe"C:\Users\Admin\AppData\Local\Temp\Low\F5BQ3N.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 14003⤵
- Loads dropped DLL
- Program crash
PID:820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159KB
MD5f07befa95b54aa2cd90cfbbfdb9d0942
SHA191c44a024b214e656c4279d1223a7beffeef129f
SHA256d9f52689efae410865d403b2707f5319b99c2985aed876254141fa7a7699e7e3
SHA512a8b5daf2b7d0b3cec0841953c00e9a58a08373af844ebaf37ada66a260dad9002fb99edb0673388cb9a5544a2908faab09d544cf5099554303cc2da9f4de46b6