Analysis

  • max time kernel
    131s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2022 09:44

General

  • Target

    1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe

  • Size

    11.7MB

  • MD5

    51f468fa1f11ef59ad7fd5f339906661

  • SHA1

    03887d2684aff18df484ca39c8f070a0bc725e4a

  • SHA256

    1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165

  • SHA512

    493e7d68f3ffdb6e9b0587457370253f72e3d6b2c6fa3bafb1e96dcb36db0e6b78b2a52bcf86c9b42f1bf260da639a1e88ca13d8a43ad9826ed4f680e9c3ba7f

  • SSDEEP

    196608:GPGZKb8EO3ZqySJwUWI/YfH5r7aNXl+MJvZGNod9ldozfoKF2rqIUlHRpSiC:voYZqySi7bfH5qNXzvZLHdozfSOlxpBC

Malware Config

Extracted

Family

fickerstealer

C2

prunerflowershop.com:80

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
    "C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1810466 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
        "C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    1.3MB

    MD5

    ac23d03c4b8d531016a3c1ebfa2bc91c

    SHA1

    11383627d5515ed2257f594db7fbce3a4b9106f8

    SHA256

    0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

    SHA512

    bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    1.3MB

    MD5

    ac23d03c4b8d531016a3c1ebfa2bc91c

    SHA1

    11383627d5515ed2257f594db7fbce3a4b9106f8

    SHA256

    0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

    SHA512

    bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

    Filesize

    326KB

    MD5

    e7a789232ef503dcb4929791673009a3

    SHA1

    8bc28bce4c9d8b4a6e360100441ba54a878de4c1

    SHA256

    89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

    SHA512

    6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

    Filesize

    326KB

    MD5

    e7a789232ef503dcb4929791673009a3

    SHA1

    8bc28bce4c9d8b4a6e360100441ba54a878de4c1

    SHA256

    89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

    SHA512

    6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\FAQ.pdf

    Filesize

    859KB

    MD5

    7d48ba5bfc96796ab7dc48f6764aec44

    SHA1

    bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

    SHA256

    4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

    SHA512

    71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\Filters\LC.dll

    Filesize

    76KB

    MD5

    6316c4082cacf8f3f4f22daef56cb15c

    SHA1

    cea3de90b20396b092797ec8c7e241e822c8faed

    SHA256

    5594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062

    SHA512

    e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe

    Filesize

    3.5MB

    MD5

    f387a40e95f63b5647beecdd9c4bf80e

    SHA1

    6d3e94f983eb4260e828048f464febfe80fdc5cb

    SHA256

    f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

    SHA512

    49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe

    Filesize

    3.5MB

    MD5

    f387a40e95f63b5647beecdd9c4bf80e

    SHA1

    6d3e94f983eb4260e828048f464febfe80fdc5cb

    SHA256

    f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

    SHA512

    49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll

    Filesize

    17.1MB

    MD5

    3399513c46e46661a9d6c59ec92aefe7

    SHA1

    696d40c6c74d5fdffe60880a454dfe69fd5400cb

    SHA256

    a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

    SHA512

    f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

  • C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll

    Filesize

    17.1MB

    MD5

    3399513c46e46661a9d6c59ec92aefe7

    SHA1

    696d40c6c74d5fdffe60880a454dfe69fd5400cb

    SHA256

    a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

    SHA512

    f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

  • memory/216-139-0x0000000000000000-mapping.dmp

  • memory/216-142-0x0000000000400000-0x0000000000A63000-memory.dmp

    Filesize

    6.4MB

  • memory/216-147-0x0000000000400000-0x0000000000A63000-memory.dmp

    Filesize

    6.4MB

  • memory/4356-132-0x0000000000000000-mapping.dmp

  • memory/4356-143-0x0000000000FC0000-0x00000000013A8000-memory.dmp

    Filesize

    3.9MB

  • memory/4356-137-0x0000000000FC0000-0x00000000013A8000-memory.dmp

    Filesize

    3.9MB