Analysis Overview
SHA256
89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4
Threat Level: Known bad
The file 89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.bin was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
44Caliber
44caliber family
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-03 17:38
Signatures
44caliber family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-01 18:12
Reported
2022-03-01 18:16
Platform
win7-en-20211208
Max time kernel
131s
Max time network
128s
Command Line
Signatures
44Caliber
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | C:\Windows\system32\WerFault.exe |
| PID 624 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | C:\Windows\system32\WerFault.exe |
| PID 624 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe
"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 624 -s 1184
Network
Files
memory/624-55-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp
memory/624-56-0x0000000001380000-0x00000000013D2000-memory.dmp
memory/624-57-0x000000001B1E0000-0x000000001B1E2000-memory.dmp
memory/1516-58-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp
memory/1516-59-0x0000000000410000-0x0000000000411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-01 18:12
Reported
2022-03-01 18:15
Platform
win10v2004-en-20220113
Max time kernel
147s
Max time network
152s
Command Line
Signatures
44Caliber
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5012 created 2368 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5012 wrote to memory of 2368 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe |
| PID 5012 wrote to memory of 2368 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe
"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2368 -ip 2368
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2368 -s 1668
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
| NL | 88.221.144.170:80 | tcp | |
| NL | 88.221.144.170:80 | tcp |
Files
memory/2368-130-0x0000020795330000-0x0000020795382000-memory.dmp
memory/2368-131-0x00007FFBF69B3000-0x00007FFBF69B5000-memory.dmp
memory/2368-132-0x00000207956F0000-0x00000207956F2000-memory.dmp