Overview

overview

10

Static

static

1

Setup.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    378s
  • max time network
    1593s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-es
  • resource tags

    arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    07-04-2023 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    743.9MB

  • MD5

    ae56df057a76438211d5f67b2bebb60f

  • SHA1

    d534eb46073c9f427e86e8d246d972ae9785ff05

  • SHA256

    9bfa463e61d2d739ecfcdc9400fc9f9dfaf49aaca42a0b4d2ac185131e0629ef

  • SHA512

    3d3bc206e6a4aa3c55faddc7f7e98c5a072fe176697d459280ec9222695cff0d674e627a4f371d03642e0fd908212335e5b9db25daa78d41640cec484b295b09

  • SSDEEP

    49152:EWMn2d/BRoXdCtEnSVw0cwonfMOY7REYr4nN:EWQcefSROYNJr4

Score
10/10
fickerstealerinfostealer

Malware Config

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Program crash 4 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
      PID:4464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1224
        2⤵
        • Program crash
        PID:4468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1228
        2⤵
        • Program crash
        PID:956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1264
        2⤵
        • Program crash
        PID:1660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1284
        2⤵
        • Program crash
        PID:1508
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2128
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.0.1499969995\186151439" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1644 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f16171f-4747-47a6-b808-1dec65daee32} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 1748 27b30b16258 gpu
            3⤵
              PID:4324
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.1.475340824\313060720" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b6ff4c2-440e-4326-a3c0-e454705e889f} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 2104 27b2f70e258 socket
              3⤵
              • Checks processor information in registry
              PID:688
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.2.1210833994\1725462956" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 21039 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ab021e0-2c06-400a-a7bf-873024dd22c0} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 2748 27b33846458 tab
              3⤵
                PID:748
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.3.1998100162\1433338243" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3484 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86059d17-7151-4e88-8975-a75741213e16} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3508 27b24262b58 tab
                3⤵
                  PID:3312
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.4.1641499928\522332184" -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {221f6b0f-0a18-40d3-b6e8-3225b26476ea} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3752 27b34de8558 tab
                  3⤵
                    PID:980
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.5.2004052488\154962385" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01fcc3ac-f212-47b4-862a-9f7f05dac4c5} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4884 27b35ec1458 tab
                    3⤵
                      PID:404
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.7.1878961787\150646814" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f7e9bd-80ae-4b9b-b677-c6f82b51d033} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5216 27b35ec3558 tab
                      3⤵
                        PID:1480
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.6.1677866513\1368436970" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e9dca36-6280-4441-88b1-3f4ce1aea4c1} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5008 27b35ec1d58 tab
                        3⤵
                          PID:1484
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.8.1326414893\718888381" -childID 7 -isForBrowser -prefsHandle 5060 -prefMapHandle 2844 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27289fd8-ea5c-4d90-8854-693fc5a9554f} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4876 27b355c7258 tab
                          3⤵
                            PID:2792
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.9.1474801399\158791935" -childID 8 -isForBrowser -prefsHandle 5760 -prefMapHandle 5688 -prefsLen 27079 -prefMapSize 232645 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4059d6de-c466-44a6-b3b8-eb7c4f844bbd} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5708 27b339d7058 tab
                            3⤵
                              PID:3928
                        • C:\Program Files\7-Zip\7zFM.exe
                          "C:\Program Files\7-Zip\7zFM.exe"
                          1⤵
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2844

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          142KB

                          MD5

                          54ddea3cae16280b7aeaa4562632e1fd

                          SHA1

                          2b0cb4e2b3d8ed73ae43ffb0c4c822bc5148fcd9

                          SHA256

                          58f29e6d54e2767d60181f03ea361ec4ce0ba2bdb32820ca8d52e731428f57db

                          SHA512

                          513996e48e5821723b3d1ebe083a674716af2f8badc3cfcd7a766f355a181ee18722ee68b7dad6e456e68dc0298f3a70b64e9ec4df5f54477eff99684d275936

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          cdb5a91b7898f75f98e448e80b41dba6

                          SHA1

                          c749651f98e32a2320d2e52fd467fd6217660535

                          SHA256

                          ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

                          SHA512

                          b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionCheckpoints.json.tmp
                          Filesize

                          193B

                          MD5

                          2ad4fe43dc84c6adbdfd90aaba12703f

                          SHA1

                          28a6c7eff625a2da72b932aa00a63c31234f0e7f

                          SHA256

                          ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

                          SHA512

                          2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          d8d4ffa229d4250bce27b9a585935da4

                          SHA1

                          377b132c0d36dcdd82b76a1145fd3c222762a271

                          SHA256

                          5fa4720a104c7d8b184cba7e1415a138683f974e257e6a5ac694f7c40fc9f5f9

                          SHA512

                          68dfa1ba2cfa51e026438d25563ee5d9442a766b99762e90737bc2cf9d4166a87d81451d9205fd849f6045e1a81f6e8c4f8e53a942d49efcf59450cfe2e9c6bb

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          27ca4da1b37525530407e739b44d65ef

                          SHA1

                          80631febc3cfcea1db482cb0312748dc7f9ea64f

                          SHA256

                          4fb77b04e9f01edb36a87d68f59ccf83ea0726f372c9b4a662d96078fd5b8788

                          SHA512

                          b21af98a603be39057a09357c88d1776d188e610d4e59325da973840e8a1518fa78fd6fc43957a30bbf4e59e22fba9d8bad1379aaf9869d876c0369e250c89b8

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4
                          Filesize

                          1KB

                          MD5

                          3742aaf5831df98edf8f4fe1e50d5f62

                          SHA1

                          d778b5b5382c13c702f7904ceacaf393d417bf99

                          SHA256

                          fcbcf4c22911d41c155d69d20a2d4ef7430cd10f8654ac0581d8ab68be84cbe0

                          SHA512

                          77ff2392c18333696c50eefbf28c411f4c97bdc3f62a852e58517eea40b817e210af5d059ea477cccbe77ec30bd2847257f36a58ddf7cd2fa9f3d68e94e21858

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          16c8db3f0a558fffc770789a5cd70075

                          SHA1

                          5a6f439823dfeeea1c1554e1cce6098ddfd312af

                          SHA256

                          4a428bcdd752689338bdf7d13054a7645f614c76f79b032031d33c9a3028ddcb

                          SHA512

                          da23637189a6d1f01387bd9b7ee618f501a16b467ee8bc627d529b6de6782c2007b8fc83f7fae4f8a20430bfb9ead9c40c7adafb50d6c3febb39e455869c3017

                          Download Submit

                        • memory/4464-116-0x00000000001F0000-0x00000000001F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4464-117-0x0000000002830000-0x0000000002986000-memory.dmp

                          Filesize

                          1.3MB

                          Download

                        • memory/4464-118-0x0000000000400000-0x00000000005E4000-memory.dmp

                          Filesize

                          1.9MB

                          Download