Analysis
-
max time kernel
139s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
deeplsetup64.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
deeplsetup64.exe
Resource
win10v2004-20240226-en
General
-
Target
deeplsetup64.exe
-
Size
14.5MB
-
MD5
1dba954b14bc941c13917462e368c560
-
SHA1
ab9eaf52b10a9d270ba0776087456f55ca10c447
-
SHA256
5e1aba37fd2ab19677b7a59505924bf18d8809037cbbf50b7b22c4a74b421396
-
SHA512
e952f7d9fdfc63233ed2592251c68d6bb631b80d586a8349731f858e8c4dca266a91c4db2a042df2accdab30044d3f4b5a3517d0ec1f130080609007ef268167
-
SSDEEP
12288:Mi2f75WQGH5Tua5O7g8+V9rI0djHf1lwNfUNq71j8/37vXu:V8YZO2j3I0dP7P
Malware Config
Extracted
marsstealer
Default
kenesrakishev.net/wp-includes/pomo/po.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
deeplsetup64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation deeplsetup64.exe -
Executes dropped EXE 1 IoCs
Processes:
3.exepid process 564 3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3324 564 WerFault.exe 3.exe 1936 564 WerFault.exe 3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
deeplsetup64.exe3.exedescription pid process target process PID 1588 wrote to memory of 564 1588 deeplsetup64.exe 3.exe PID 1588 wrote to memory of 564 1588 deeplsetup64.exe 3.exe PID 1588 wrote to memory of 564 1588 deeplsetup64.exe 3.exe PID 564 wrote to memory of 3324 564 3.exe WerFault.exe PID 564 wrote to memory of 3324 564 3.exe WerFault.exe PID 564 wrote to memory of 3324 564 3.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deeplsetup64.exe"C:\Users\Admin\AppData\Local\Temp\deeplsetup64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\3.exe"C:\ProgramData\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 18443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 18443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 564 -ip 5641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3.exeFilesize
159KB
MD51a9fa43be1579005d913413d18f047b7
SHA1a92faa80014713989cd2c527d0bc7dd0991d90a4
SHA25630a9559298fd9d27a75bd6b5a73b762ac997992f677a0081d7fb87b74c00eff1
SHA512e52d2f06d9a424e0ded2943e43d07e8ac40ee85f8cb10c90d88abf7482046f38c2d8580055cf211094f1274c930061c889480ffade363cf1b6eee57def259dbd
-
memory/564-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/564-21-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1588-0-0x0000000000920000-0x00000000009BC000-memory.dmpFilesize
624KB
-
memory/1588-1-0x0000000074690000-0x0000000074E40000-memory.dmpFilesize
7.7MB
-
memory/1588-2-0x0000000005480000-0x0000000005490000-memory.dmpFilesize
64KB
-
memory/1588-13-0x0000000074690000-0x0000000074E40000-memory.dmpFilesize
7.7MB