Malware Analysis Report

2024-11-15 06:30

Sample ID 220301-wtak2scfdn
Target 89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.bin
SHA256 89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4
Tags
44caliber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4

Threat Level: Known bad

The file 89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.bin was found to be: Known bad.

Malicious Activity Summary

44caliber spyware stealer

Suspicious use of NtCreateProcessExOtherParentProcess

44Caliber

44caliber family

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-03 17:38

Signatures

44caliber family

44caliber

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-01 18:12

Reported

2022-03-01 18:16

Platform

win7-en-20211208

Max time kernel

131s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"

Signatures

44Caliber

stealer 44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe

"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 624 -s 1184

Network

N/A

Files

memory/624-55-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

memory/624-56-0x0000000001380000-0x00000000013D2000-memory.dmp

memory/624-57-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

memory/1516-58-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

memory/1516-59-0x0000000000410000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-01 18:12

Reported

2022-03-01 18:15

Platform

win10v2004-en-20220113

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"

Signatures

44Caliber

stealer 44caliber

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5012 created 2368 N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe

"C:\Users\Admin\AppData\Local\Temp\89e5c693e84a62055fcf6e38acb193d544c3347754a39d86ab7b6319742bb1f4.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 2368 -ip 2368

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2368 -s 1668

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.97.0:443 freegeoip.app tcp
NL 88.221.144.170:80 tcp
NL 88.221.144.170:80 tcp

Files

memory/2368-130-0x0000020795330000-0x0000020795382000-memory.dmp

memory/2368-131-0x00007FFBF69B3000-0x00007FFBF69B5000-memory.dmp

memory/2368-132-0x00000207956F0000-0x00000207956F2000-memory.dmp