Analysis Overview
SHA256
1045b0b441c50d7268f9fbcc19a23093f9efae22c0fc006a28e11190f7115fa4
Threat Level: Known bad
The file 1045b0b441c50d7268f9fbcc19a23093f9efae22c0fc006a28e11190f7115fa4 was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-31 09:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 09:20
Reported
2024-07-31 09:22
Platform
win7-20240729-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2232 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| RU | 188.120.251.192:80 | tcp |
Files
memory/2232-5-0x0000000000220000-0x0000000000264000-memory.dmp
memory/2144-8-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2232-7-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/2144-3-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2144-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2144-6-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 907326301a53876360553d631f2775c4 |
| SHA1 | e900c12c18a7295611f3e2234bc68e8dc0501e06 |
| SHA256 | d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8 |
| SHA512 | 435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa |
memory/2144-14-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 09:20
Reported
2024-07-31 09:22
Platform
win10v2004-20240730-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3504 set thread context of 3628 | N/A | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| RU | 188.120.251.192:80 | tcp | |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.251.120.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3504-1-0x0000000000700000-0x0000000000800000-memory.dmp
memory/3504-2-0x0000000000490000-0x00000000004D4000-memory.dmp
memory/3628-3-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3628-5-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3628-6-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 907326301a53876360553d631f2775c4 |
| SHA1 | e900c12c18a7295611f3e2234bc68e8dc0501e06 |
| SHA256 | d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8 |
| SHA512 | 435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa |
memory/3628-12-0x0000000000400000-0x0000000000447000-memory.dmp