Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 13:07
Static task
static1
Behavioral task
behavioral1
Sample
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
Resource
win10v2004-20230220-en
General
-
Target
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
-
Size
282KB
-
MD5
72dcda0a0601b6e7df5b2d4133d8224f
-
SHA1
4604ae50310f18648bfdce614f6332088cddff63
-
SHA256
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d
-
SHA512
d7e08462a7e6e27d707becc83825ec3ec9275cc36b60e85c4980d8ea5002d3a7973cb89ae993b657e38be502db206a0b27fa0cfd784505c0fba0f2b1edfc92a4
-
SSDEEP
6144:K8it3a+Prec1DJGDBXgN61cZlCsIH37fv1u5Jj6mV6:KJ3ofFXgcWWsIH37fya
Malware Config
Extracted
fickerstealer
lukkeze.club:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 4 IoCs
Processes:
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exedescription pid Process procid_target PID 1104 set thread context of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 864 set thread context of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 1492 set thread context of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1232 set thread context of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid Process 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exe7zG.exepid Process 1528 taskmgr.exe 1464 7zG.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
AUDIODG.EXEtaskmgr.exe7zFM.exe7zG.exedescription pid Process Token: 33 772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 772 AUDIODG.EXE Token: 33 772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 772 AUDIODG.EXE Token: SeDebugPrivilege 1528 taskmgr.exe Token: SeRestorePrivilege 1620 7zFM.exe Token: 35 1620 7zFM.exe Token: SeRestorePrivilege 1464 7zG.exe Token: 35 1464 7zG.exe Token: SeSecurityPrivilege 1464 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe 1528 taskmgr.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exedescription pid Process procid_target PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 1104 wrote to memory of 1352 1104 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 28 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 864 wrote to memory of 1688 864 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 37 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1492 wrote to memory of 1924 1492 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 39 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43 PID 1232 wrote to memory of 804 1232 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"2⤵PID:1352
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1716
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
-
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"2⤵PID:1688
-
-
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"2⤵PID:1924
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap29446:208:7zEvent83641⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"2⤵PID:804
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD571d587e911373f62d72a158eceb6e0e7
SHA168d81a1a4fb19c609288a94f10d1bbb92d972a68
SHA256acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
SHA512a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060