44caliber | d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f

Analysis

max time kernel
155s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D0A927970E230756281222C063F1A06B4637623794A26.exe
Size

10.5MB
MD5

9e63a0aa4f26539beeccb7180568fc4e
SHA1

649f49bfa20647858a8073a9416648b76773cfc5
SHA256

d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f
SHA512

a3acd7ec1400ccc482239440450ef8df6719dd29ce6290b9f47764030a4e5b47ceb97ce74c71bb156409848e85ceaa38069d2d4113f4043883ae0a28053a546b

Score

10^/10

44caliber njrat soryman evasion persistence stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SoryMan

us-west-11608.packetriot.net:22794

Mutex

9dc6936092ebce7762ab0f2981bc4ba4

Attributes

reg_key
9dc6936092ebce7762ab0f2981bc4ba4
splitter
@!#&^%$

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1392-54-0x0000000000EB0000-0x000000000193E000-memory.dmp	disable_win_def
\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe	disable_win_def
behavioral1/memory/836-59-0x0000000001080000-0x0000000001088000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

4 292 WScript.exe
6 292 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

TiktokSpammerTool.exeWindowsFormsApp4.exesvchosted32.exesvchost.exe

pid process

836 TiktokSpammerTool.exe
1532 WindowsFormsApp4.exe
1856 svchosted32.exe
1816 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

flow	pid	process
4	292	WScript.exe
6	292	WScript.exe

pid	process
836	TiktokSpammerTool.exe
1532	WindowsFormsApp4.exe
1856	svchosted32.exe
1816	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exeWScript.exesvchosted32.exe

pid	process
1392	D0A927970E230756281222C063F1A06B4637623794A26.exe
1392	D0A927970E230756281222C063F1A06B4637623794A26.exe
292	WScript.exe
1856	svchosted32.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

TiktokSpammerTool.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features TiktokSpammerTool.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	TiktokSpammerTool.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	D0A927970E230756281222C063F1A06B4637623794A26.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1580 powershell.exe

pid	process
1580	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exe

pid process

1392 D0A927970E230756281222C063F1A06B4637623794A26.exe
1392 D0A927970E230756281222C063F1A06B4637623794A26.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exeTiktokSpammerTool.exeWindowsFormsApp4.exeWScript.exesvchosted32.exesvchost.exe

description	pid	process	target process
PID 1392 wrote to memory of 836	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 1392 wrote to memory of 836	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 1392 wrote to memory of 836	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 1392 wrote to memory of 836	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 836 wrote to memory of 1580	836	TiktokSpammerTool.exe	powershell.exe
PID 836 wrote to memory of 1580	836	TiktokSpammerTool.exe	powershell.exe
PID 836 wrote to memory of 1580	836	TiktokSpammerTool.exe	powershell.exe
PID 1392 wrote to memory of 1532	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1392 wrote to memory of 1532	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1392 wrote to memory of 1532	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1392 wrote to memory of 1532	1392	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1532 wrote to memory of 292	1532	WindowsFormsApp4.exe	WScript.exe
PID 1532 wrote to memory of 292	1532	WindowsFormsApp4.exe	WScript.exe
PID 1532 wrote to memory of 292	1532	WindowsFormsApp4.exe	WScript.exe
PID 1532 wrote to memory of 292	1532	WindowsFormsApp4.exe	WScript.exe
PID 292 wrote to memory of 1856	292	WScript.exe	svchosted32.exe
PID 292 wrote to memory of 1856	292	WScript.exe	svchosted32.exe
PID 292 wrote to memory of 1856	292	WScript.exe	svchosted32.exe
PID 292 wrote to memory of 1856	292	WScript.exe	svchosted32.exe
PID 1856 wrote to memory of 1816	1856	svchosted32.exe	svchost.exe
PID 1856 wrote to memory of 1816	1856	svchosted32.exe	svchost.exe
PID 1856 wrote to memory of 1816	1856	svchosted32.exe	svchost.exe
PID 1856 wrote to memory of 1816	1856	svchosted32.exe	svchost.exe
PID 1816 wrote to memory of 952	1816	svchost.exe	netsh.exe
PID 1816 wrote to memory of 952	1816	svchost.exe	netsh.exe
PID 1816 wrote to memory of 952	1816	svchost.exe	netsh.exe
PID 1816 wrote to memory of 952	1816	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe
"C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
"C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TiktokSpam.js"
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
"C:\Users\Admin\AppData\Local\Temp\svchosted32.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
6⤵
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TiktokSpam.js
Filesize
778B

MD5
db484f181ba5b3d4b3ab651428501009

SHA1
407e2f2525f8be6da321a4f3915ab83627fc8ef5

SHA256
59a5f971895e0e23251c91d0d9e7830c4e0f553607c7e2b72502dc66d97bc0b7

SHA512
849dbc4850ec45b350171b6a9dd961b6d02bef3d9294f79b02aaea45815e5b170001a0656a43e0e12ff9b02f01f3f57f3d6f20f23218a6aa5b30e404294f9f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
Filesize
12KB

MD5
64a7e0429947daec5c28503be3d0d7ac

SHA1
c86c62a7f49ccb499af8eebf22950fc54dcb9bdd

SHA256
6fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772

SHA512
74c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
Filesize
12KB

MD5
64a7e0429947daec5c28503be3d0d7ac

SHA1
c86c62a7f49ccb499af8eebf22950fc54dcb9bdd

SHA256
6fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772

SHA512
74c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
Filesize
15KB

MD5
5046a2ac28aa9c84e62eb49c7581028e

SHA1
f1966bab316f3c5d5675c46bd2d8fc82cb05390e

SHA256
77204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2

SHA512
913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
Filesize
15KB

MD5
5046a2ac28aa9c84e62eb49c7581028e

SHA1
f1966bab316f3c5d5675c46bd2d8fc82cb05390e

SHA256
77204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2

SHA512
913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
Filesize
12KB

MD5
64a7e0429947daec5c28503be3d0d7ac

SHA1
c86c62a7f49ccb499af8eebf22950fc54dcb9bdd

SHA256
6fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772

SHA512
74c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
Filesize
15KB

MD5
5046a2ac28aa9c84e62eb49c7581028e

SHA1
f1966bab316f3c5d5675c46bd2d8fc82cb05390e

SHA256
77204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2

SHA512
913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
\Users\Admin\AppData\Local\Temp\svchosted32.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
memory/292-71-0x0000000000000000-mapping.dmp

Download
memory/292-73-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/836-59-0x0000000001080000-0x0000000001088000-memory.dmp

Filesize
32KB

Download
memory/836-56-0x0000000000000000-mapping.dmp

Download
memory/952-86-0x0000000000000000-mapping.dmp

Download
memory/1392-65-0x0000000000535000-0x0000000000546000-memory.dmp

Filesize
68KB

Download
memory/1392-54-0x0000000000EB0000-0x000000000193E000-memory.dmp

Filesize
10.6MB

Download
memory/1532-67-0x0000000000000000-mapping.dmp

Download
memory/1532-70-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/1580-61-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1580-64-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1580-63-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1580-62-0x000007FEEE150000-0x000007FEEECAD000-memory.dmp

Filesize
11.4MB

Download
memory/1580-60-0x0000000000000000-mapping.dmp

Download
memory/1816-81-0x0000000000000000-mapping.dmp

Download
memory/1816-85-0x000000006D220000-0x000000006D7CB000-memory.dmp

Filesize
5.7MB

Download
memory/1856-75-0x0000000000000000-mapping.dmp

Download
memory/1856-79-0x000000006D220000-0x000000006D7CB000-memory.dmp

Filesize
5.7MB

Download