Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe
Resource
win10v2004-20220414-en
General
-
Target
fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe
-
Size
3.6MB
-
MD5
a2c7a93f123d477aeb5cd0c87e95711f
-
SHA1
d2159c9274e01d44217f04d7491a9ab899b6e1c2
-
SHA256
fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c
-
SHA512
ec89e133346ad53af32c584f27129cfd5d62d85b2990136f696b2dc3aba7b2919b3e30e8081b880fb219f694d56f3bb02eb03a8484f7c160ccee435f3aa21109
Malware Config
Extracted
fickerstealer
194.99.20.202:80
Extracted
amadey
2.08
194.32.77.37/pPpfs3ds3Za/index.php
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
system.exerween.exeservices.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ system.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rween.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ services.exe -
Executes dropped EXE 3 IoCs
Processes:
services.exesystem.exerween.exepid process 2848 services.exe 3092 system.exe 3636 rween.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rween.exeservices.exesystem.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rween.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rween.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion system.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion system.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
system.exerween.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation system.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation rween.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\services.exe themida C:\Users\Admin\AppData\Roaming\services.exe themida behavioral2/memory/2848-133-0x0000000000400000-0x000000000087E000-memory.dmp themida C:\Users\Admin\AppData\Roaming\system.exe themida C:\Users\Admin\AppData\Roaming\system.exe themida behavioral2/memory/3092-137-0x0000000000230000-0x00000000006A3000-memory.dmp themida behavioral2/memory/3092-138-0x0000000000230000-0x00000000006A3000-memory.dmp themida behavioral2/memory/3092-139-0x0000000000230000-0x00000000006A3000-memory.dmp themida C:\ProgramData\ba4c285d2a\rween.exe themida C:\ProgramData\ba4c285d2a\rween.exe themida behavioral2/memory/3092-143-0x0000000000230000-0x00000000006A3000-memory.dmp themida behavioral2/memory/3636-144-0x00000000009E0000-0x0000000000E53000-memory.dmp themida behavioral2/memory/3636-145-0x00000000009E0000-0x0000000000E53000-memory.dmp themida behavioral2/memory/3636-146-0x00000000009E0000-0x0000000000E53000-memory.dmp themida behavioral2/memory/2848-149-0x0000000000400000-0x000000000087E000-memory.dmp themida behavioral2/memory/3636-151-0x00000000009E0000-0x0000000000E53000-memory.dmp themida -
Processes:
services.exesystem.exerween.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA system.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rween.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exesystem.exerween.execmd.exedescription pid process target process PID 4304 wrote to memory of 2848 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe services.exe PID 4304 wrote to memory of 2848 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe services.exe PID 4304 wrote to memory of 2848 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe services.exe PID 4304 wrote to memory of 3092 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe system.exe PID 4304 wrote to memory of 3092 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe system.exe PID 4304 wrote to memory of 3092 4304 fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe system.exe PID 3092 wrote to memory of 3636 3092 system.exe rween.exe PID 3092 wrote to memory of 3636 3092 system.exe rween.exe PID 3092 wrote to memory of 3636 3092 system.exe rween.exe PID 3636 wrote to memory of 4356 3636 rween.exe cmd.exe PID 3636 wrote to memory of 4356 3636 rween.exe cmd.exe PID 3636 wrote to memory of 4356 3636 rween.exe cmd.exe PID 4356 wrote to memory of 3136 4356 cmd.exe reg.exe PID 4356 wrote to memory of 3136 4356 cmd.exe reg.exe PID 4356 wrote to memory of 3136 4356 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe"C:\Users\Admin\AppData\Local\Temp\fbac8499f9b9374327cb08b0a19a09da2e26f464bf082708db77228a44277f0c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services.exeC:\Users\Admin\AppData\Roaming\services.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\system.exeC:\Users\Admin\AppData\Roaming\system.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ba4c285d2a\rween.exe"C:\ProgramData\ba4c285d2a\rween.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\ba4c285d2a\4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\ba4c285d2a\5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\152110819440123634099177MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\ba4c285d2a\rween.exeFilesize
1.9MB
MD5bb915ef0b397fd1f08f7c2d14445713c
SHA19f19ba3c6a948c7802e616828cd0f1bbde29454a
SHA2566087d1729f77ce678d03a30247cb6d1f455e8e264951643faf738efba17470c9
SHA512ab05f3df1dd161636056e4571524fbe27149a542520d95dbe99c4e40baffebb06da2bbea8bb66d63a31de9092df34ac8ffc7568f86425edd23d4028731136331
-
C:\ProgramData\ba4c285d2a\rween.exeFilesize
1.9MB
MD5bb915ef0b397fd1f08f7c2d14445713c
SHA19f19ba3c6a948c7802e616828cd0f1bbde29454a
SHA2566087d1729f77ce678d03a30247cb6d1f455e8e264951643faf738efba17470c9
SHA512ab05f3df1dd161636056e4571524fbe27149a542520d95dbe99c4e40baffebb06da2bbea8bb66d63a31de9092df34ac8ffc7568f86425edd23d4028731136331
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
1.9MB
MD5a9ba96d43fb37bb2ce34b3de9fe25ddb
SHA1b9d9e46bd77758e70c77ab743f54c06c395f9efd
SHA256accad4dff29fa37e1bf34e050f6eedefe3ae4f114d1781334ea385a09ac48dec
SHA5127c71844652ec46a5a69a6f5879b318cf0dd66bc2747b0f825e677f3492c380be1594d7909d3128b25133ff4a9a6d33ce9a7ffdfb9b21891d9aa7e985c51b0fc7
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
1.9MB
MD5a9ba96d43fb37bb2ce34b3de9fe25ddb
SHA1b9d9e46bd77758e70c77ab743f54c06c395f9efd
SHA256accad4dff29fa37e1bf34e050f6eedefe3ae4f114d1781334ea385a09ac48dec
SHA5127c71844652ec46a5a69a6f5879b318cf0dd66bc2747b0f825e677f3492c380be1594d7909d3128b25133ff4a9a6d33ce9a7ffdfb9b21891d9aa7e985c51b0fc7
-
C:\Users\Admin\AppData\Roaming\system.exeFilesize
1.9MB
MD5bb915ef0b397fd1f08f7c2d14445713c
SHA19f19ba3c6a948c7802e616828cd0f1bbde29454a
SHA2566087d1729f77ce678d03a30247cb6d1f455e8e264951643faf738efba17470c9
SHA512ab05f3df1dd161636056e4571524fbe27149a542520d95dbe99c4e40baffebb06da2bbea8bb66d63a31de9092df34ac8ffc7568f86425edd23d4028731136331
-
C:\Users\Admin\AppData\Roaming\system.exeFilesize
1.9MB
MD5bb915ef0b397fd1f08f7c2d14445713c
SHA19f19ba3c6a948c7802e616828cd0f1bbde29454a
SHA2566087d1729f77ce678d03a30247cb6d1f455e8e264951643faf738efba17470c9
SHA512ab05f3df1dd161636056e4571524fbe27149a542520d95dbe99c4e40baffebb06da2bbea8bb66d63a31de9092df34ac8ffc7568f86425edd23d4028731136331
-
memory/2848-130-0x0000000000000000-mapping.dmp
-
memory/2848-133-0x0000000000400000-0x000000000087E000-memory.dmpFilesize
4.5MB
-
memory/2848-149-0x0000000000400000-0x000000000087E000-memory.dmpFilesize
4.5MB
-
memory/3092-134-0x0000000000000000-mapping.dmp
-
memory/3092-139-0x0000000000230000-0x00000000006A3000-memory.dmpFilesize
4.4MB
-
memory/3092-138-0x0000000000230000-0x00000000006A3000-memory.dmpFilesize
4.4MB
-
memory/3092-143-0x0000000000230000-0x00000000006A3000-memory.dmpFilesize
4.4MB
-
memory/3092-137-0x0000000000230000-0x00000000006A3000-memory.dmpFilesize
4.4MB
-
memory/3136-150-0x0000000000000000-mapping.dmp
-
memory/3636-140-0x0000000000000000-mapping.dmp
-
memory/3636-146-0x00000000009E0000-0x0000000000E53000-memory.dmpFilesize
4.4MB
-
memory/3636-145-0x00000000009E0000-0x0000000000E53000-memory.dmpFilesize
4.4MB
-
memory/3636-144-0x00000000009E0000-0x0000000000E53000-memory.dmpFilesize
4.4MB
-
memory/3636-151-0x00000000009E0000-0x0000000000E53000-memory.dmpFilesize
4.4MB
-
memory/4356-148-0x0000000000000000-mapping.dmp