Analysis Overview
SHA256
7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
Threat Level: Known bad
The file Setup.exe was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-07-31 16:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-31 16:13
Reported
2023-07-31 16:17
Platform
win7-20230712-en
Max time kernel
22s
Max time network
33s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1168
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
Files
memory/2224-53-0x0000000000240000-0x00000000002BB000-memory.dmp
memory/2224-54-0x0000000033950000-0x0000000033AD0000-memory.dmp
memory/1092-57-0x00000000774DF000-0x00000000774E0000-memory.dmp
memory/1092-58-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1092-55-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1092-60-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1092-62-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1092-63-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2224-64-0x0000000000240000-0x00000000002BB000-memory.dmp
memory/2224-56-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1092-61-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1092-65-0x0000000000400000-0x0000000000466000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-31 16:13
Reported
2023-07-31 16:22
Platform
win10v2004-20230703-en
Max time kernel
306s
Max time network
320s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
| RU | 45.93.201.181:80 | tcp | |
| US | 8.8.8.8:53 | 76.16.231.173.in-addr.arpa | udp |
| RU | 45.93.201.181:80 | tcp | |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.194.90:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 90.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| RU | 45.93.201.181:80 | tcp | |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| RU | 45.93.201.181:80 | tcp | |
| US | 8.8.8.8:53 | 254.209.247.8.in-addr.arpa | udp |
| RU | 45.93.201.181:80 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp | |
| RU | 45.93.201.181:80 | tcp |
Files
memory/3332-133-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3332-134-0x0000000032070000-0x00000000320EB000-memory.dmp
memory/3332-135-0x0000000077682000-0x0000000077683000-memory.dmp
memory/3332-136-0x0000000033C30000-0x0000000033DD3000-memory.dmp
memory/4804-139-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4804-137-0x0000000077682000-0x0000000077683000-memory.dmp
memory/4804-140-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3332-144-0x0000000032070000-0x00000000320EB000-memory.dmp
memory/4804-143-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4804-145-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\ProgramData\krosqm.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/4804-151-0x0000000000400000-0x0000000000466000-memory.dmp