Overview

overview

10

Static

static

10

c6181c9872...5d.exe

windows7_x64

10

c6181c9872...5d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294181s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    01-03-2022 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe

  • Size

    793KB

  • MD5

    f559e77721d8cc5bd97e037c4b3472cc

  • SHA1

    f6dda6d685285301e23fd51338d0977fb5e03a6e

  • SHA256

    c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d

  • SHA512

    64d6e8d0bc9862f9eab80d0fa95fdbb42eab44efed4a90abe1a6a0c8b1a308b5940d90740beb211dd6c375b8dd1fb1706a76f484ccf439cfc3bb2ae0aacb3dd9

Score
10/10
44caliberevasionspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/939927794656370699/MQUodH1jMxGoELXDI7vt3uVKvZAZN_FBkYRFlTiMVxHGCFnEzvPC7JNVH8-ESePeneQo

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 12 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
    "C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
      "C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Users\Admin\AppData\Local\Temp\example.exe
      "C:\Users\Admin\AppData\Local\Temp\example.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerPro
          4⤵
            PID:816
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:632
          • C:\Windows\system32\taskkill.exe
            taskkill /IM HTTPDebuggerSvc.exe /F
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
          3⤵
            PID:1572
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1348
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1352
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1964
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1328
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1160
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1536
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
            3⤵
              PID:1532
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1116
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              3⤵
                PID:1472
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                3⤵
                  PID:1804
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    4⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1496
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                  3⤵
                    PID:1112
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1932
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                    3⤵
                      PID:1752
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                        4⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1480
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                      3⤵
                        PID:2000
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          4⤵
                            PID:1924
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                          3⤵
                            PID:1836
                            • C:\Windows\system32\taskkill.exe
                              taskkill /IM HTTPDebuggerSvc.exe /F
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:996
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                            3⤵
                              PID:1396
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          1⤵
                            PID:1692

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Modify Existing Service

                          1
                          T1031

                          Privilege Escalation

                          Defense Evasion

                          Impair Defenses

                          1
                          T1562

                          Credential Access

                          Credentials in Files

                          2
                          T1081

                          Discovery

                          System Information Discovery

                          2
                          T1082

                          Query Registry

                          1
                          T1012

                          Lateral Movement

                          Collection

                          Data from Local System

                          2
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Service Stop

                          1
                          T1489

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\example.exe
                            MD5

                            009ea83f03fdd2d1da3fc57e118f137f

                            SHA1

                            e1f07d0577636f8df4e50d2e45b83dd1d17ef875

                            SHA256

                            a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

                            SHA512

                            32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
                            MD5

                            f16b30ce57b3d0678d55d91953597faa

                            SHA1

                            7348bfa2fd87b1e5f556c54fa650eb376c60006d

                            SHA256

                            d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

                            SHA512

                            fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
                            MD5

                            f16b30ce57b3d0678d55d91953597faa

                            SHA1

                            7348bfa2fd87b1e5f556c54fa650eb376c60006d

                            SHA256

                            d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

                            SHA512

                            fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\example.exe
                            MD5

                            009ea83f03fdd2d1da3fc57e118f137f

                            SHA1

                            e1f07d0577636f8df4e50d2e45b83dd1d17ef875

                            SHA256

                            a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

                            SHA512

                            32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\example.exe
                            MD5

                            009ea83f03fdd2d1da3fc57e118f137f

                            SHA1

                            e1f07d0577636f8df4e50d2e45b83dd1d17ef875

                            SHA256

                            a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

                            SHA512

                            32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\loader_2.exe
                            MD5

                            f16b30ce57b3d0678d55d91953597faa

                            SHA1

                            7348bfa2fd87b1e5f556c54fa650eb376c60006d

                            SHA256

                            d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

                            SHA512

                            fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

                            Download Submit
                          • memory/1096-54-0x00000000757F1000-0x00000000757F3000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1956-61-0x0000000000B60000-0x0000000000BAA000-memory.dmp
                            Filesize

                            296KB

                            Download
                          • memory/1956-62-0x000007FEF4EC3000-0x000007FEF4EC4000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/1956-63-0x000000001B320000-0x000000001B322000-memory.dmp
                            Filesize

                            8KB

                            Download