Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

FieroHack/...ck.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 02:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FieroHack/FieroHack.exe

  • Size

    841.5MB

  • MD5

    4391a7a45800488b546cabf6a4de419b

  • SHA1

    3736dddcf7b8e9d92ce0fe4cca8943f837363474

  • SHA256

    02a694b8995187b59915bbc597b403431ada5255955531f03e5a8ed1a516872c

  • SHA512

    ed65614fec0639af9325caed915b7300a49780c166eeeadfb6fa158933ad09d3529e5b25da98ed5b6e95b9ac7ad5b3f171f358a27d73490a22181bcea61aa903

  • SSDEEP

    98304:W+dazBjv4Wls4S9sRJBGuPycYTTk6iG5:5dWBefaBG7G

Score
9/10
credential_accessdiscoveryevasionexecutionpersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FieroHack\FieroHack.exe
    "C:\Users\Admin\AppData\Local\Temp\FieroHack\FieroHack.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Roaming\WeAura.exe
      C:\Users\Admin\AppData\Roaming\WeAura.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3416
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4548
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
            PID:1148
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3720
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:4076
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:616
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:2240
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:320
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2616
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "XJIRZFGV"
          3⤵
          • Launches sc.exe
          PID:5020
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "XJIRZFGV" binpath= "C:\ProgramData\fmtjrnlncwpn\diltklqafxsg.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:1204
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          3⤵
          • Launches sc.exe
          PID:4684
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "XJIRZFGV"
          3⤵
          • Launches sc.exe
          PID:4352
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeAura.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            4⤵
              PID:3516
        • C:\Users\Admin\AppData\Roaming\Sirus.exe
          C:\Users\Admin\AppData\Roaming\Sirus.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3236
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1292
      • C:\ProgramData\fmtjrnlncwpn\diltklqafxsg.exe
        C:\ProgramData\fmtjrnlncwpn\diltklqafxsg.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:60
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4172
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
              PID:4588
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:5060
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:2404
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:4336
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:4856
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:1848
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Power Settings
            PID:224
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Power Settings
            PID:3192
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Power Settings
            PID:1512
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Power Settings
            PID:1088
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:1444

          Network

          • flag-us
            DNS
            8.8.8.8.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            8.8.8.8.in-addr.arpa
            IN PTR
            Response
            8.8.8.8.in-addr.arpa
            IN PTR
            dnsgoogle
          • flag-us
            DNS
            2.159.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            2.159.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            97.17.167.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            97.17.167.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            248.252.92.91.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            248.252.92.91.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            56.163.245.4.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            56.163.245.4.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            206.23.85.13.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            206.23.85.13.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            92.12.20.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            92.12.20.2.in-addr.arpa
            IN PTR
            Response
            92.12.20.2.in-addr.arpa
            IN PTR
            a2-20-12-92deploystaticakamaitechnologiescom
          • 91.92.252.248:3058
            RegAsm.exe
            516.9kB
             29.6kB
             414
            171
          • 8.8.8.8:53
            8.8.8.8.in-addr.arpa
            dns
            66 B
             90 B
             1
            1

            DNS Request

            8.8.8.8.in-addr.arpa

          • 8.8.8.8:53
            2.159.190.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            2.159.190.20.in-addr.arpa

          • 8.8.8.8:53
            97.17.167.52.in-addr.arpa
            dns
            71 B
             145 B
             1
            1

            DNS Request

            97.17.167.52.in-addr.arpa

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
             128 B
             1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            248.252.92.91.in-addr.arpa
            dns
            72 B
             132 B
             1
            1

            DNS Request

            248.252.92.91.in-addr.arpa

          • 8.8.8.8:53
            56.163.245.4.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            56.163.245.4.in-addr.arpa

          • 8.8.8.8:53
            206.23.85.13.in-addr.arpa
            dns
            71 B
             145 B
             1
            1

            DNS Request

            206.23.85.13.in-addr.arpa

          • 8.8.8.8:53
            92.12.20.2.in-addr.arpa
            dns
            69 B
             131 B
             1
            1

            DNS Request

            92.12.20.2.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          System Services

          2
          T1569

          Service Execution

          2
          T1569.002

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Power Settings

          1
          T1653

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Defense Evasion

          Impair Defenses

          1
          T1562

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          2
          T1552

          Credentials In Files

          2
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          2
          T1005

          Command and Control

          Exfiltration

          Impact

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wma0o0bq.ixq.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/60-84-0x00007FFD562F0000-0x00007FFD5638E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/60-75-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/60-74-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/60-76-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/60-77-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/60-79-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/60-80-0x000002116A910000-0x000002116A970000-memory.dmp

            Filesize

            384KB

            Download

          • memory/60-78-0x00007FF73C490000-0x00007FF73C9D5000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/1292-45-0x0000000009820000-0x0000000009896000-memory.dmp

            Filesize

            472KB

            Download

          • memory/1292-35-0x00000000055C0000-0x0000000005652000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1292-41-0x0000000008900000-0x000000000894C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1292-48-0x000000000AB70000-0x000000000B09C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1292-47-0x000000000A470000-0x000000000A632000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1292-46-0x0000000008BB0000-0x0000000008BCE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1292-40-0x0000000008770000-0x00000000087AC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1292-44-0x0000000008C40000-0x0000000008CA6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1292-38-0x00000000087F0000-0x00000000088FA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1292-37-0x0000000008CC0000-0x00000000092D8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1292-31-0x0000000000400000-0x0000000000476000-memory.dmp

            Filesize

            472KB

            Download

          • memory/1292-36-0x0000000005580000-0x000000000558A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1292-34-0x0000000005A90000-0x0000000006034000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1292-39-0x0000000008710000-0x0000000008722000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1444-119-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3236-33-0x0000000074D10000-0x00000000754C0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3236-29-0x0000000074D10000-0x00000000754C0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3236-28-0x0000000000430000-0x00000000004AA000-memory.dmp

            Filesize

            488KB

            Download

          • memory/3236-27-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-17-0x0000024459910000-0x0000024459911000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-7-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-6-0x00007FF6F78B1000-0x00007FF6F7B65000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/3416-20-0x00007FFD56850000-0x00007FFD56A45000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3416-21-0x00007FFD54520000-0x00007FFD547E9000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/3416-22-0x00007FFD562F0000-0x00007FFD5638E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3416-19-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-16-0x00007FFD562F0000-0x00007FFD5638E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3416-62-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-65-0x00007FFD562F0000-0x00007FFD5638E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3416-70-0x00007FFD562F0000-0x00007FFD5638E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3416-71-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-69-0x00007FFD54520000-0x00007FFD547E9000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/3416-68-0x00007FFD56850000-0x00007FFD56A45000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3416-12-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-26-0x00007FF6F78B1000-0x00007FF6F7B65000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/3416-10-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-8-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-9-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-11-0x0000024459890000-0x00000244598F0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3416-4-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/3416-5-0x00007FF6F7620000-0x00007FF6F7B65000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/4048-104-0x000001A450B00000-0x000001A450B1C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4048-105-0x000001A452ED0000-0x000001A452F85000-memory.dmp

            Filesize

            724KB

            Download

          • memory/4048-106-0x000001A438650000-0x000001A43865A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4048-107-0x000001A4530D0000-0x000001A4530EC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4048-108-0x000001A438660000-0x000001A43866A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4048-109-0x000001A4530F0000-0x000001A45310A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4048-110-0x000001A450B20000-0x000001A450B28000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4048-111-0x000001A450B30000-0x000001A450B36000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4048-112-0x000001A450B40000-0x000001A450B4A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4548-49-0x000001AF69080000-0x000001AF690A2000-memory.dmp

            Filesize

            136KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.