Analysis Overview
SHA256
37dfa936a8336dd36b8379f0ab078c79d062a531e62138efc6bd760d7f496532
Threat Level: Known bad
The file 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-26 16:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-26 16:56
Reported
2023-03-26 16:58
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\eventvwr.msc | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
| PID 2000 set thread context of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
| PID 1268 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | fasdas.link | udp |
Files
memory/1932-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1636-58-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1932-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1932-59-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1932-60-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/1168-66-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1168-67-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1932-68-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1168-69-0x0000000002240000-0x0000000002250000-memory.dmp
memory/1788-76-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1508-86-0x0000000000400000-0x0000000000471000-memory.dmp
memory/272-89-0x0000000002700000-0x000000000271E000-memory.dmp
memory/272-90-0x000000001CE50000-0x000000001D196000-memory.dmp
memory/272-91-0x0000000002150000-0x0000000002151000-memory.dmp
memory/272-93-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-92-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-94-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-95-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-96-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-98-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-97-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-99-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp
memory/272-100-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-101-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-103-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-105-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-104-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-106-0x0000000002150000-0x0000000002151000-memory.dmp
memory/272-107-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-108-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-110-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-111-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-112-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-113-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-114-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-115-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-117-0x0000000004100000-0x0000000004180000-memory.dmp
memory/272-119-0x0000000004100000-0x0000000004180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml
| MD5 | 884320a9b8f018f309f5a96107133f89 |
| SHA1 | 102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff |
| SHA256 | 50fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64 |
| SHA512 | b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-26 16:56
Reported
2023-03-26 16:58
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 13.89.179.9:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| NL | 8.238.20.126:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
Files
memory/2604-134-0x0000000002230000-0x000000000229C000-memory.dmp
memory/2272-135-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2272-137-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 0146b97f1bf748301734071d33706ba1 |
| SHA1 | 4fe8ed756a2e7d09499d962cb3ffd9a7d3e20495 |
| SHA256 | c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f |
| SHA512 | 34e2df58d22ddbc3b5d4355394232e71b8ec68c389d2a21d99981200ba80e3f90e4af3c56aef2d50b5042796d658e6ac9007450d4e32f0d8db43d167a59f0cfb |
memory/2272-143-0x0000000000400000-0x0000000000471000-memory.dmp