Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 13:07

General

  • Target

    96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe

  • Size

    282KB

  • MD5

    72dcda0a0601b6e7df5b2d4133d8224f

  • SHA1

    4604ae50310f18648bfdce614f6332088cddff63

  • SHA256

    96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d

  • SHA512

    d7e08462a7e6e27d707becc83825ec3ec9275cc36b60e85c4980d8ea5002d3a7973cb89ae993b657e38be502db206a0b27fa0cfd784505c0fba0f2b1edfc92a4

  • SSDEEP

    6144:K8it3a+Prec1DJGDBXgN61cZlCsIH37fv1u5Jj6mV6:KJ3ofFXgcWWsIH37fya

Malware Config

Extracted

Family

fickerstealer

C2

lukkeze.club:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
    "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
      "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
      2⤵
        PID:1352
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1716
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x558
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1528
      • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
        "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
          "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
          2⤵
            PID:1688
        • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
          "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
            "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
            2⤵
              PID:1924
          • C:\Program Files\7-Zip\7zFM.exe
            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap29446:208:7zEvent8364
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
            "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
            1⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1232
            • C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
              "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
              2⤵
                PID:804

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\kaosdma.txt

              Filesize

              12B

              MD5

              71d587e911373f62d72a158eceb6e0e7

              SHA1

              68d81a1a4fb19c609288a94f10d1bbb92d972a68

              SHA256

              acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

              SHA512

              a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

            • memory/804-101-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1104-57-0x0000000000220000-0x0000000000264000-memory.dmp

              Filesize

              272KB

            • memory/1352-66-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1352-60-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1352-59-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1352-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/1352-56-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1528-69-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/1528-70-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/1528-74-0x0000000000390000-0x00000000003A0000-memory.dmp

              Filesize

              64KB

            • memory/1688-81-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/1924-90-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB