Overview

overview

10

Static

static

Lucky Fixed.exe

windows7_x64

8

Lucky Fixed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-07-2022 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lucky Fixed.exe

  • Size

    1.5MB

  • MD5

    02346b31c94a650a16dea1a262db5153

  • SHA1

    a301b0d05d01a35b6e893d3d2ebe9bf8985ae434

  • SHA256

    2da5d10cdba79d8a8153eaf7ab3d4aad3afaf14c6d9098f7720858c61910948c

  • SHA512

    1b6bd5adc407829ffbfadea6e4d37b0b21baaac926fd909ed9fe0c7084a2f432df11a2640dd6423cff9a8beb0b4e11b272c2a02f48f75b64dc25f8b109838c9a

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe
    "C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    Filesize

    490KB

    MD5

    c29c0d495ed13e703f433d53bdffdab8

    SHA1

    74ed36e6b6027b61abcfe2956670ffd9de7fd71a

    SHA256

    20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

    SHA512

    fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.cmd
    Filesize

    28B

    MD5

    217407484aac2673214337def8886072

    SHA1

    0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

    SHA256

    467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

    SHA512

    8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

    Download Submit
  • memory/1324-54-0x00000000011D0000-0x0000000001354000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1324-55-0x0000000000A90000-0x0000000000B06000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1324-56-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1568-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-62-0x00000000048C0000-0x000000000495C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1568-63-0x00000000023C0000-0x000000000245A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/1568-64-0x0000000076011000-0x0000000076013000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1568-65-0x0000000004ED0000-0x0000000004F46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1608-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-61-0x0000000000000000-mapping.dmp
    Download