Analysis
-
max time kernel
141s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 22:33
Behavioral task
behavioral1
Sample
Maya Password Stealer/Editor.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Maya Password Stealer/Editor.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Maya Password Stealer/fsg.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Maya Password Stealer/fsg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Maya Password Stealer/stub.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Maya Password Stealer/stub.exe
Resource
win10v2004-20240426-en
General
-
Target
Maya Password Stealer/Editor.exe
-
Size
459KB
-
MD5
e323ed667ef3563092dce07d984518ce
-
SHA1
2c56b1a587dd43aa5e09950919a1510d8b05f4fc
-
SHA256
2f46ac733fdcc19be847e7008260c34bcb3a31cbc82299409d95d524bd0d5fc5
-
SHA512
b96017def08318f65ad08d75ab48c90eb637e2944f56d7c843c85f9bc7dfaa4ce7505954d2c55abdf33cd1f50cf57aed2476d36a0dc624606ed19061c54de207
-
SSDEEP
6144:l9TyWfXiIk6hXalydeocepqj6d48tbeldKCiI9hnCtMVobP+RKp6NVc3rsVIOptT:C20kaMwNeg6y8tb1/viiss6ji4VCmew
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Editormgr.exepid process 972 Editormgr.exe -
Processes:
resource yara_rule behavioral2/memory/3860-0-0x0000000000400000-0x0000000000558000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe upx behavioral2/memory/972-5-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral2/memory/972-12-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral2/memory/3860-13-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1160 972 WerFault.exe Editormgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Editor.exedescription pid process target process PID 3860 wrote to memory of 972 3860 Editor.exe Editormgr.exe PID 3860 wrote to memory of 972 3860 Editor.exe Editormgr.exe PID 3860 wrote to memory of 972 3860 Editor.exe Editormgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editor.exe"C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editor.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe"C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exe"2⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 2643⤵
- Program crash
PID:1160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 972 -ip 9721⤵PID:4092
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Maya Password Stealer\Editormgr.exeFilesize
105KB
MD59b49fec7e03c33277f188a2819b8d726
SHA1a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f
SHA2569d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad
SHA512049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d
-
memory/972-5-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/972-6-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/972-12-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3860-0-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/3860-7-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/3860-13-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/3860-15-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB