Analysis Overview
SHA256
3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255
Threat Level: Known bad
The file 3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-17 01:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 01:17
Reported
2024-04-17 01:20
Platform
win7-20231129-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Mars Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Identities\PO1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | C:\Users\Admin\AppData\Roaming\Identities\PO1.exe |
| PID 2180 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | C:\Users\Admin\AppData\Roaming\Identities\PO1.exe |
| PID 2180 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | C:\Users\Admin\AppData\Roaming\Identities\PO1.exe |
| PID 2180 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | C:\Users\Admin\AppData\Roaming\Identities\PO1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe
"C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe"
C:\Users\Admin\AppData\Roaming\Identities\PO1.exe
"C:\Users\Admin\AppData\Roaming\Identities\PO1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kenesrakishev.net | udp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
Files
memory/2180-0-0x0000000000D40000-0x0000000000DB6000-memory.dmp
memory/2180-1-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2180-2-0x0000000004C40000-0x0000000004C80000-memory.dmp
\Users\Admin\AppData\Roaming\Identities\PO1.exe
| MD5 | 00333d129e6ef188664819662a141476 |
| SHA1 | 41605ab3ceffff75a4abd29d2df0fe26bc7de8a1 |
| SHA256 | 82314104e7bccbced4fbe95a65273d88678b183e45f4fffa8abf2a4ee6a06ee7 |
| SHA512 | cb762a2b092fe00ce7c6b99816084dfd6d34d59dde8eb6ccad5f8c031f892f0a495fce7e8600e8fdcd3989f828813a06a5dc23feeb5f2ba7c8c649b9f0a8a150 |
memory/2180-11-0x0000000000590000-0x00000000005CD000-memory.dmp
memory/2180-12-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/1136-14-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 01:17
Reported
2024-04-17 01:20
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
160s
Command Line
Signatures
Mars Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\QN8R84.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe
"C:\Users\Admin\AppData\Local\Temp\3c71bf86bdeb35c1b8b178e99f3193efabf63a55abebb3356426b731c362a255.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\QN8R84.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\QN8R84.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kenesrakishev.net | udp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
| US | 173.201.180.75:80 | kenesrakishev.net | tcp |
Files
memory/4076-0-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/4076-1-0x0000000000820000-0x0000000000896000-memory.dmp
memory/4076-2-0x00000000052F0000-0x0000000005300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\QN8R84.exe
| MD5 | 00333d129e6ef188664819662a141476 |
| SHA1 | 41605ab3ceffff75a4abd29d2df0fe26bc7de8a1 |
| SHA256 | 82314104e7bccbced4fbe95a65273d88678b183e45f4fffa8abf2a4ee6a06ee7 |
| SHA512 | cb762a2b092fe00ce7c6b99816084dfd6d34d59dde8eb6ccad5f8c031f892f0a495fce7e8600e8fdcd3989f828813a06a5dc23feeb5f2ba7c8c649b9f0a8a150 |
memory/3448-11-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4076-13-0x0000000074D90000-0x0000000075540000-memory.dmp