Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 22:27
Static task
static1
Behavioral task
behavioral1
Sample
mixsix_20211021-213834.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
mixsix_20211021-213834.exe
Resource
win10-en-20211014
General
-
Target
mixsix_20211021-213834.exe
-
Size
502KB
-
MD5
8b88f6c7769be88bcc52eaeea38621f2
-
SHA1
bb67682e4b6421dfcc26fee615e9bc8499786599
-
SHA256
629483458b79478365479b415c1efa5334cf87b3b6617aff6b6145fd28ae085e
-
SHA512
ebc8916650ae9682b3c32b194889589595325e26054d77fa2bc62ca2d520a4a754156931a01c7ca3e11f5c9323e2fadefc2e865f04baf7255b19ce41c22c37c0
Malware Config
Extracted
fickerstealer
game2030.site:80
Extracted
arkei
Default
http://gurums.online/ggate.php
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1635121677680.exe family_arkei C:\Users\Admin\AppData\Local\Temp\1635121677680.exe family_arkei -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
1635121677588.exe1635121677680.exehvytube.exehvytube.exehvytube.exepid process 2508 1635121677588.exe 1624 1635121677680.exe 1964 hvytube.exe 1488 hvytube.exe 2264 hvytube.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1635121677588.exehvytube.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVYtube = "C:\\Users\\Admin\\AppData\\Roaming\\HVYtube\\hvytube.exe" 1635121677588.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVYtube3 = "C:\\Users\\Admin\\AppData\\Roaming\\HVYtube3\\hvytube.exe" hvytube.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mixsix_20211021-213834.exedescription pid process target process PID 2704 set thread context of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2852 1624 WerFault.exe 1635121677680.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mixsix_20211021-213834.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mixsix_20211021-213834.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mixsix_20211021-213834.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
mixsix_20211021-213834.exeWerFault.exepid process 828 mixsix_20211021-213834.exe 828 mixsix_20211021-213834.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exehvytube.exehvytube.exedescription pid process Token: SeRestorePrivilege 2852 WerFault.exe Token: SeBackupPrivilege 2852 WerFault.exe Token: SeDebugPrivilege 2852 WerFault.exe Token: SeDebugPrivilege 1964 hvytube.exe Token: SeDebugPrivilege 2264 hvytube.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
mixsix_20211021-213834.exemixsix_20211021-213834.exe1635121677588.exehvytube.exehvytube.exedescription pid process target process PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 2704 wrote to memory of 828 2704 mixsix_20211021-213834.exe mixsix_20211021-213834.exe PID 828 wrote to memory of 2508 828 mixsix_20211021-213834.exe 1635121677588.exe PID 828 wrote to memory of 2508 828 mixsix_20211021-213834.exe 1635121677588.exe PID 828 wrote to memory of 2508 828 mixsix_20211021-213834.exe 1635121677588.exe PID 828 wrote to memory of 1624 828 mixsix_20211021-213834.exe 1635121677680.exe PID 828 wrote to memory of 1624 828 mixsix_20211021-213834.exe 1635121677680.exe PID 828 wrote to memory of 1624 828 mixsix_20211021-213834.exe 1635121677680.exe PID 2508 wrote to memory of 1964 2508 1635121677588.exe hvytube.exe PID 2508 wrote to memory of 1964 2508 1635121677588.exe hvytube.exe PID 2508 wrote to memory of 1964 2508 1635121677588.exe hvytube.exe PID 1964 wrote to memory of 1488 1964 hvytube.exe hvytube.exe PID 1964 wrote to memory of 1488 1964 hvytube.exe hvytube.exe PID 1964 wrote to memory of 1488 1964 hvytube.exe hvytube.exe PID 1488 wrote to memory of 2264 1488 hvytube.exe hvytube.exe PID 1488 wrote to memory of 2264 1488 hvytube.exe hvytube.exe PID 1488 wrote to memory of 2264 1488 hvytube.exe hvytube.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1635121677588.exe"C:\Users\Admin\AppData\Local\Temp\1635121677588.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe"C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hvytube.exe"C:\Users\Admin\AppData\Local\Temp\hvytube.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe"C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1635121677680.exe"C:\Users\Admin\AppData\Local\Temp\1635121677680.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 12564⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvytube.exe.logMD5
957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
C:\Users\Admin\AppData\Local\Temp\1635121677588.exeMD5
07c4277b0278cafddb023934c154cc56
SHA18fc547689272aa2f26e5721264d4260caae499c0
SHA2569d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8
SHA51221276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678
-
C:\Users\Admin\AppData\Local\Temp\1635121677588.exeMD5
07c4277b0278cafddb023934c154cc56
SHA18fc547689272aa2f26e5721264d4260caae499c0
SHA2569d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8
SHA51221276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678
-
C:\Users\Admin\AppData\Local\Temp\1635121677680.exeMD5
4bb65548f890bed129c141c3c04fc8c4
SHA139257aa791e39dd40a79d1c33c35c30010a98e0d
SHA256681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c
SHA51248cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587
-
C:\Users\Admin\AppData\Local\Temp\1635121677680.exeMD5
4bb65548f890bed129c141c3c04fc8c4
SHA139257aa791e39dd40a79d1c33c35c30010a98e0d
SHA256681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c
SHA51248cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587
-
C:\Users\Admin\AppData\Local\Temp\hvytube.exeMD5
c7f0ff4bc816f92f0f421e380f453968
SHA1e7fe567f76c95176068be75ad9f671142af23962
SHA256e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10
SHA512d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f
-
C:\Users\Admin\AppData\Local\Temp\hvytube.exeMD5
c7f0ff4bc816f92f0f421e380f453968
SHA1e7fe567f76c95176068be75ad9f671142af23962
SHA256e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10
SHA512d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f
-
C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exeMD5
c7f0ff4bc816f92f0f421e380f453968
SHA1e7fe567f76c95176068be75ad9f671142af23962
SHA256e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10
SHA512d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f
-
C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exeMD5
c7f0ff4bc816f92f0f421e380f453968
SHA1e7fe567f76c95176068be75ad9f671142af23962
SHA256e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10
SHA512d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f
-
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exeMD5
07c4277b0278cafddb023934c154cc56
SHA18fc547689272aa2f26e5721264d4260caae499c0
SHA2569d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8
SHA51221276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678
-
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exeMD5
07c4277b0278cafddb023934c154cc56
SHA18fc547689272aa2f26e5721264d4260caae499c0
SHA2569d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8
SHA51221276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678
-
memory/828-120-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/828-116-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/828-117-0x0000000000401480-mapping.dmp
-
memory/1488-144-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1488-140-0x0000000000000000-mapping.dmp
-
memory/1624-123-0x0000000000000000-mapping.dmp
-
memory/1964-137-0x0000000006B20000-0x0000000006BDA000-memory.dmpFilesize
744KB
-
memory/1964-148-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB
-
memory/1964-138-0x00000000060A0000-0x00000000060A5000-memory.dmpFilesize
20KB
-
memory/1964-139-0x00000000060D0000-0x00000000060D6000-memory.dmpFilesize
24KB
-
memory/1964-135-0x0000000006220000-0x0000000006226000-memory.dmpFilesize
24KB
-
memory/1964-134-0x00000000034E0000-0x00000000034E1000-memory.dmpFilesize
4KB
-
memory/1964-129-0x0000000000000000-mapping.dmp
-
memory/1964-153-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/1964-142-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/1964-146-0x00000000068A0000-0x00000000068A1000-memory.dmpFilesize
4KB
-
memory/1964-147-0x00000000068C0000-0x000000000694F000-memory.dmpFilesize
572KB
-
memory/1964-136-0x0000000006630000-0x0000000006707000-memory.dmpFilesize
860KB
-
memory/1964-149-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/1964-150-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/1964-151-0x00000000073C0000-0x0000000007460000-memory.dmpFilesize
640KB
-
memory/1964-152-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/2264-154-0x0000000000000000-mapping.dmp
-
memory/2264-160-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2508-127-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/2508-121-0x0000000000000000-mapping.dmp
-
memory/2704-119-0x0000000004B40000-0x0000000004B87000-memory.dmpFilesize
284KB
-
memory/2704-118-0x0000000002FA0000-0x000000000304E000-memory.dmpFilesize
696KB