Overview

overview

10

Static

static

10

c6181c9872...5d.exe

windows7_x64

10

c6181c9872...5d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-03-2022 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe

  • Size

    793KB

  • MD5

    f559e77721d8cc5bd97e037c4b3472cc

  • SHA1

    f6dda6d685285301e23fd51338d0977fb5e03a6e

  • SHA256

    c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d

  • SHA512

    64d6e8d0bc9862f9eab80d0fa95fdbb42eab44efed4a90abe1a6a0c8b1a308b5940d90740beb211dd6c375b8dd1fb1706a76f484ccf439cfc3bb2ae0aacb3dd9

Score
10/10
44caliberevasionspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/939927794656370699/MQUodH1jMxGoELXDI7vt3uVKvZAZN_FBkYRFlTiMVxHGCFnEzvPC7JNVH8-ESePeneQo

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 12 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
    "C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
      "C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
    • C:\Users\Admin\AppData\Local\Temp\example.exe
      "C:\Users\Admin\AppData\Local\Temp\example.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:616
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:712
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1952
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerPro
          4⤵
            PID:3860
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\system32\taskkill.exe
            taskkill /IM HTTPDebuggerSvc.exe /F
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4404
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
          3⤵
            PID:4368
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:800
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3576
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4288
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4700
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1308
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4604
            • C:\Windows\system32\sc.exe
              sc stop HTTPDebuggerPro
              4⤵
                PID:1244
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3836
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              3⤵
                PID:4948
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4676
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4224
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1936
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1880
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1740
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4324
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3108
                • C:\Windows\system32\sc.exe
                  sc stop HTTPDebuggerPro
                  4⤵
                    PID:4500
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                  3⤵
                    PID:4508
                    • C:\Windows\system32\taskkill.exe
                      taskkill /IM HTTPDebuggerSvc.exe /F
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4612
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                    3⤵
                      PID:3192

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Modify Existing Service

                1
                T1031

                Privilege Escalation

                Defense Evasion

                Impair Defenses

                1
                T1562

                Credential Access

                Credentials in Files

                2
                T1081

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                Lateral Movement

                Collection

                Data from Local System

                2
                T1005

                Exfiltration

                Command and Control

                Impact

                Service Stop

                1
                T1489

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\example.exe
                  MD5

                  009ea83f03fdd2d1da3fc57e118f137f

                  SHA1

                  e1f07d0577636f8df4e50d2e45b83dd1d17ef875

                  SHA256

                  a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

                  SHA512

                  32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\example.exe
                  MD5

                  009ea83f03fdd2d1da3fc57e118f137f

                  SHA1

                  e1f07d0577636f8df4e50d2e45b83dd1d17ef875

                  SHA256

                  a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

                  SHA512

                  32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
                  MD5

                  f16b30ce57b3d0678d55d91953597faa

                  SHA1

                  7348bfa2fd87b1e5f556c54fa650eb376c60006d

                  SHA256

                  d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

                  SHA512

                  fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\loader_2.exe
                  MD5

                  f16b30ce57b3d0678d55d91953597faa

                  SHA1

                  7348bfa2fd87b1e5f556c54fa650eb376c60006d

                  SHA256

                  d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

                  SHA512

                  fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

                  Download Submit
                • memory/3548-132-0x0000000000310000-0x000000000035A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/3548-135-0x00007FFC86943000-0x00007FFC86945000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/3548-136-0x00000000024D0000-0x00000000024D2000-memory.dmp
                  Filesize

                  8KB

                  Download