Analysis
-
max time kernel
112s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-03-2022 18:14
Static task
static1
Behavioral task
behavioral1
Sample
f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
Resource
win7-en-20211208
General
-
Target
f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
-
Size
252KB
-
MD5
727f871c6a9151b9c7edd435b2e0a4a0
-
SHA1
2a857cbe7c20a04cb668045d8f2bb0241ec7a4ce
-
SHA256
f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9
-
SHA512
f95ce1f9b33d38c3ac4e66ad945673c35aa730dacb0bc9426367f28241a79daa9a51ad145526f6aed8034972168ed55cf4e432e1a257fc9a72ca913cb93cb6d4
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/941986689709137930/LKCHnOiVuh0n3jE7BdB9bpDlzvK0fX8pEXx58iWJcCPcde_CC8MD15H7kSkIFx040A5u
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 freegeoip.app 15 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3780 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe 3780 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe 3780 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe 3780 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3780 f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe"C:\Users\Admin\AppData\Local\Temp\f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780
Network
-
Remote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A188.114.96.0freegeoip.appIN A188.114.97.0
-
Remote address:188.114.96.0:443RequestGET /xml/ HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
RateLimit-Limit: 1200
RateLimit-Remaining: 1171
RateLimit-Reset: 2590
X-RateLimit-Limit-Hour: 1200
X-RateLimit-Remaining-Hour: 1171
Vary: Origin
vary: Origin
X-Database-Date: Thu, 24 Feb 2022 15:28:15 GMT
Access-Control-Allow-Origin: *
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/2.5.1
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Zo4y8qN00kRyEdPdS35JbZVoTSpJ4cyUzytvYOzp%2FqY2Pv1LDa5pKxLdSuGKxcmrpjWttjtXFFoF%2BcM8SjQeuOOo99r%2FfEyjq8ZPTYWGYfIsNuPQByvPKsoTuo%2FS7Rap"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6e53e2d2ec050c65-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestgeo.prod.do.dsp.mp.microsoft.comIN AResponsegeo.prod.do.dsp.mp.microsoft.comIN CNAMEgeo.prod.do.dsp.trafficmanager.netgeo.prod.do.dsp.trafficmanager.netIN CNAMEarray509.prod.do.dsp.mp.microsoft.comarray509.prod.do.dsp.mp.microsoft.comIN A52.184.217.56
-
Remote address:8.8.8.8:53Requestkv801.prod.do.dsp.mp.microsoft.comIN AResponsekv801.prod.do.dsp.mp.microsoft.comIN CNAMEkv801.prod.do.dsp.mp.microsoft.com.edgekey.netkv801.prod.do.dsp.mp.microsoft.com.edgekey.netIN CNAMEe12437.g.akamaiedge.nete12437.g.akamaiedge.netIN A184.29.205.60
-
GEThttps://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6Remote address:184.29.205.60:443RequestGET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: f3lgBz9Db0G0OZms.2.1.1
Content-Length: 0
Host: kv801.prod.do.dsp.mp.microsoft.com
ResponseHTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 808
Cache-Control: max-age=58
Date: Tue, 01 Mar 2022 18:17:06 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestcp801.prod.do.dsp.mp.microsoft.comIN AResponsecp801.prod.do.dsp.mp.microsoft.comIN CNAMEcp801.prod.do.dsp.mp.microsoft.com.edgekey.netcp801.prod.do.dsp.mp.microsoft.com.edgekey.netIN CNAMEe12437.g.akamaiedge.nete12437.g.akamaiedge.netIN A184.29.205.60
-
GEThttps://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6Remote address:184.29.205.60:443RequestGET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
Content-Length: 0
Host: cp801.prod.do.dsp.mp.microsoft.com
ResponseHTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 366
Cache-Control: max-age=33100
Date: Tue, 01 Mar 2022 18:17:06 GMT
Connection: keep-alive
-
GEThttps://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6Remote address:184.29.205.60:443RequestGET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.2.1.1
Content-Length: 0
Host: cp801.prod.do.dsp.mp.microsoft.com
ResponseHTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 366
Cache-Control: max-age=33100
Date: Tue, 01 Mar 2022 18:17:06 GMT
Connection: keep-alive
-
322 B 7
-
260 B 5
-
188.114.96.0:443https://freegeoip.app/xml/tls, httpf33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe766 B 4.5kB 9 8
HTTP Request
GET https://freegeoip.app/xml/HTTP Response
200 -
1.2kB 3.5kB 12 9
-
184.29.205.60:443https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6tls, http1.2kB 7.8kB 11 13
HTTP Request
GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6HTTP Response
200 -
184.29.205.60:443https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6tls, http1.4kB 7.3kB 11 13
HTTP Request
GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6HTTP Response
200 -
184.29.205.60:443https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6tls, http1.4kB 7.3kB 11 13
HTTP Request
GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6HTTP Response
200 -
322 B 7
-
322 B 7
-
59 B 91 B 1 1
DNS Request
freegeoip.app
DNS Response
188.114.96.0188.114.97.0
-
78 B 165 B 1 1
DNS Request
geo.prod.do.dsp.mp.microsoft.com
DNS Response
52.184.217.56
-
80 B 190 B 1 1
DNS Request
kv801.prod.do.dsp.mp.microsoft.com
DNS Response
184.29.205.60
-
80 B 190 B 1 1
DNS Request
cp801.prod.do.dsp.mp.microsoft.com
DNS Response
184.29.205.60