Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-07-2021 01:06
Static task
static1
Behavioral task
behavioral1
Sample
0708_3355614568218.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0708_3355614568218.doc
Resource
win10v20210408
General
-
Target
0708_3355614568218.doc
-
Size
877KB
-
MD5
992338b40b38f1f55bd4a9599f70771c
-
SHA1
866086438592043aebb88f3da34ad437681a5cb0
-
SHA256
b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699
-
SHA512
cd0482f15b709a61dcc3c0007486d5d2eaeb5bfc315cc2d82bd4f75dae68fed5fee8a0e90c61163723f34b0cdc6c459c186f14ef6b936bc5ed70e7b4d97da50a
Malware Config
Extracted
fickerstealer
pospvisis.com:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3176 672 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 30 3204 rundll32.exe 32 3204 rundll32.exe 34 3204 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 3204 rundll32.exe 3204 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3204 set thread context of 3880 3204 rundll32.exe svchost.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEsvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{2C14B83B-344B-46C1-95C0-E1291EBC54FD}\nimb.dll:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 672 WINWORD.EXE 672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exesvchost.exepid process 3204 rundll32.exe 3204 rundll32.exe 3880 svchost.exe 3880 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXErundll32.exerundll32.exedescription pid process target process PID 672 wrote to memory of 2372 672 WINWORD.EXE splwow64.exe PID 672 wrote to memory of 2372 672 WINWORD.EXE splwow64.exe PID 672 wrote to memory of 3176 672 WINWORD.EXE rundll32.exe PID 672 wrote to memory of 3176 672 WINWORD.EXE rundll32.exe PID 3176 wrote to memory of 3204 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 3204 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 3204 3176 rundll32.exe rundll32.exe PID 3204 wrote to memory of 3880 3204 rundll32.exe svchost.exe PID 3204 wrote to memory of 3880 3204 rundll32.exe svchost.exe PID 3204 wrote to memory of 3880 3204 rundll32.exe svchost.exe PID 3204 wrote to memory of 3880 3204 rundll32.exe svchost.exe PID 3204 wrote to memory of 3880 3204 rundll32.exe svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0708_3355614568218.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\admin\appdata\roaming\microsoft\templates\niberius.dllMD5
d22d8bb38cf8d6a5ce6d8be4106350e7
SHA102fc51e6572a17f5dbbc32c4e3dd03cca3c51afe
SHA2564dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
SHA512434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dllMD5
d22d8bb38cf8d6a5ce6d8be4106350e7
SHA102fc51e6572a17f5dbbc32c4e3dd03cca3c51afe
SHA2564dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
SHA512434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dllMD5
d22d8bb38cf8d6a5ce6d8be4106350e7
SHA102fc51e6572a17f5dbbc32c4e3dd03cca3c51afe
SHA2564dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
SHA512434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41
-
memory/672-119-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/672-117-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/672-118-0x00007FFD10F10000-0x00007FFD13A33000-memory.dmpFilesize
43.1MB
-
memory/672-122-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmpFilesize
16.9MB
-
memory/672-123-0x00007FFD09880000-0x00007FFD0B775000-memory.dmpFilesize
31.0MB
-
memory/672-115-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/672-116-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/672-114-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/2372-179-0x0000000000000000-mapping.dmp
-
memory/3176-180-0x0000000000000000-mapping.dmp
-
memory/3204-182-0x0000000000000000-mapping.dmp
-
memory/3204-185-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/3880-186-0x0000000000401480-mapping.dmp
-
memory/3880-187-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB