locky | 3417e9f342180604ef37d8269d0c45a5ea9518448816acde4af89f5069c59e9b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mars Stealer 8 cracked.exe
Size

26.4MB
MD5

96c6e7d92d982f79e1ac1a43c5ba4c1d
SHA1

4c7e8c2e062d7c6a2ce70e848d3440f775c9984f
SHA256

3417e9f342180604ef37d8269d0c45a5ea9518448816acde4af89f5069c59e9b
SHA512

23bd0d128c11d90f631762ed47c9dbf292798f62194982acc083c7b5509129bf81508411bf44ec43b2b4f4bdca16a0495b23364672ecc26185dd97758a3f78d8
SSDEEP

393216:JKMnRFe0Q5vHLJ5wdbnFA1CXH2apIFGIweagYq8njYipxiJ7xhli9Lq4XqDQBZyW:UxvHLJmUKLpIFGgagHyU7zliXqDQPyLS

Score

10^/10

locky discovery pyinstaller ransomware upx

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky family
locky

Executes dropped EXE 5 IoCs

pid	Process
1944	crack.exe
988	svchost.exe
2468	svchost.exe
2760	crack.exe
1200	Process not Found

Loads dropped DLL 14 IoCs

pid	Process
2996	Mars Stealer 8 cracked.exe
2996	Mars Stealer 8 cracked.exe
2832	Process not Found
988	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
1944	crack.exe
2760	crack.exe
1200	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001dbf7-944.dat	upx
behavioral1/memory/2468-948-0x000007FEF5750000-0x000007FEF5E15000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001a4f7-716.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mars Stealer 8 cracked.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Mars Stealer 8 cracked.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	Mars Stealer 8 cracked.exe
2996	Mars Stealer 8 cracked.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1944	2996	Mars Stealer 8 cracked.exe	30
PID 2996 wrote to memory of 1944	2996	Mars Stealer 8 cracked.exe	30
PID 2996 wrote to memory of 1944	2996	Mars Stealer 8 cracked.exe	30
PID 2996 wrote to memory of 1944	2996	Mars Stealer 8 cracked.exe	30
PID 2996 wrote to memory of 988	2996	Mars Stealer 8 cracked.exe	31
PID 2996 wrote to memory of 988	2996	Mars Stealer 8 cracked.exe	31
PID 2996 wrote to memory of 988	2996	Mars Stealer 8 cracked.exe	31
PID 2996 wrote to memory of 988	2996	Mars Stealer 8 cracked.exe	31
PID 988 wrote to memory of 2468	988	svchost.exe	33
PID 988 wrote to memory of 2468	988	svchost.exe	33
PID 988 wrote to memory of 2468	988	svchost.exe	33
PID 1944 wrote to memory of 2760	1944	crack.exe	34
PID 1944 wrote to memory of 2760	1944	crack.exe	34
PID 1944 wrote to memory of 2760	1944	crack.exe	34

C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\crack.exe
    "C:\Users\Admin\AppData\Local\Temp\crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\re.png

Filesize
545B

MD5
c1cf1874c3305e5663547a48f6ad2d8c

SHA1
0f67f12d76a0543772a3259a3b38935381349e01

SHA256
79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842

SHA512
c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\sj.png

Filesize
512B

MD5
559ce5baaee373db8da150a5066c1062

SHA1
ee80e5f63c986d04f46bff10f639113c88107ced

SHA256
f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c

SHA512
c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19442\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
8.2MB

MD5
e2eaae1faafbcb27b498ab773e936095

SHA1
a09bb8310da7332d63cc9a075fc51be9b256d0cd

SHA256
ee3c57bc5e701d433d3a1ec3352d44d26122987d0eacf48bb0d1a8daf3e19030

SHA512
255b59b795169df5c39c232c6af8c3d8a545f5c6b8662aa0a046a8fc90ade6abdde00316154c30cde2effabccdd229ebdfb62a44b55451e5fbd5d7e72c1d15c1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9882\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
\Users\Admin\AppData\Local\Temp\crack.exe

Filesize
10.3MB

MD5
4fe30a23c39ba018087953089e06e700

SHA1
4a78d78c1f454a7f3d91413184ac061458c30d64

SHA256
12198899a031241840756a8eed1015904555bc04728dace270c4734c02e64030

SHA512
f62fd43cef647672debbe5a22a1461a885ad53e8f56ce426020f73064bfbf703d697e3a9e87ed5b4d8ec0b422c451477378bc7779460332bb02960349bd3ff05

Download Submit
memory/2468-948-0x000007FEF5750000-0x000007FEF5E15000-memory.dmp

Filesize
6.8MB

Download