Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-07-2021 01:06

General

  • Target

    0708_3355614568218.doc

  • Size

    877KB

  • MD5

    992338b40b38f1f55bd4a9599f70771c

  • SHA1

    866086438592043aebb88f3da34ad437681a5cb0

  • SHA256

    b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

  • SHA512

    cd0482f15b709a61dcc3c0007486d5d2eaeb5bfc315cc2d82bd4f75dae68fed5fee8a0e90c61163723f34b0cdc6c459c186f14ef6b936bc5ed70e7b4d97da50a

Malware Config

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Process spawned unexpected child process ⋅ 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request ⋅ 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL ⋅ 2 IoCs
  • Reads local data of messenger clients ⋅ 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Looks up external IP address via web service ⋅ 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Checks processor information in registry ⋅ 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
  • NTFS ADS ⋅ 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener ⋅ 2 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 14 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0708_3355614568218.doc" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    NTFS ADS
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:2372
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\System32\svchost.exe
          Checks processor information in registry
          Suspicious behavior: EnumeratesProcesses
          PID:3880

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • \??\c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll
                      MD5

                      d22d8bb38cf8d6a5ce6d8be4106350e7

                      SHA1

                      02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

                      SHA256

                      4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

                      SHA512

                      434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

                    • \Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dll
                      MD5

                      d22d8bb38cf8d6a5ce6d8be4106350e7

                      SHA1

                      02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

                      SHA256

                      4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

                      SHA512

                      434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

                    • \Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dll
                      MD5

                      d22d8bb38cf8d6a5ce6d8be4106350e7

                      SHA1

                      02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

                      SHA256

                      4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

                      SHA512

                      434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

                    • memory/672-119-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp
                    • memory/672-117-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp
                    • memory/672-118-0x00007FFD10F10000-0x00007FFD13A33000-memory.dmp
                    • memory/672-122-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmp
                    • memory/672-123-0x00007FFD09880000-0x00007FFD0B775000-memory.dmp
                    • memory/672-115-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp
                    • memory/672-116-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp
                    • memory/672-114-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp
                    • memory/2372-179-0x0000000000000000-mapping.dmp
                    • memory/3176-180-0x0000000000000000-mapping.dmp
                    • memory/3204-182-0x0000000000000000-mapping.dmp
                    • memory/3204-185-0x0000000000E80000-0x0000000000E81000-memory.dmp
                    • memory/3880-186-0x0000000000401480-mapping.dmp
                    • memory/3880-187-0x0000000000400000-0x0000000000448000-memory.dmp