44caliber | d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D0A927970E230756281222C063F1A06B4637623794A26.exe
Size

10.5MB
MD5

9e63a0aa4f26539beeccb7180568fc4e
SHA1

649f49bfa20647858a8073a9416648b76773cfc5
SHA256

d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f
SHA512

a3acd7ec1400ccc482239440450ef8df6719dd29ce6290b9f47764030a4e5b47ceb97ce74c71bb156409848e85ceaa38069d2d4113f4043883ae0a28053a546b

Score

10^/10

44caliber njrat soryman evasion persistence stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SoryMan

us-west-11608.packetriot.net:22794

Mutex

9dc6936092ebce7762ab0f2981bc4ba4

Attributes

reg_key
9dc6936092ebce7762ab0f2981bc4ba4
splitter
@!#&^%$

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1336-130-0x0000000000500000-0x0000000000F8E000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe	disable_win_def
behavioral2/memory/1592-137-0x0000000000470000-0x0000000000478000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

2 4972 WScript.exe
4 4972 WScript.exe
6 4972 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

TiktokSpammerTool.exeWindowsFormsApp4.exesvchosted32.exesvchost.exe

pid process

1592 TiktokSpammerTool.exe
3004 WindowsFormsApp4.exe
2668 svchosted32.exe
1412 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

flow	pid	process
2	4972	WScript.exe
4	4972	WScript.exe
6	4972	WScript.exe

pid	process
1592	TiktokSpammerTool.exe
3004	WindowsFormsApp4.exe
2668	svchosted32.exe
1412	svchost.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exesvchosted32.exeD0A927970E230756281222C063F1A06B4637623794A26.exeWindowsFormsApp4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchosted32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	D0A927970E230756281222C063F1A06B4637623794A26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WindowsFormsApp4.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9dc6936092ebce7762ab0f2981bc4ba4.exe	svchost.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

TiktokSpammerTool.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" TiktokSpammerTool.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	TiktokSpammerTool.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9dc6936092ebce7762ab0f2981bc4ba4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

WindowsFormsApp4.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings WindowsFormsApp4.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4840 powershell.exe
4840 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	WindowsFormsApp4.exe

pid	process
4840	powershell.exe
4840	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exe

pid process

1336 D0A927970E230756281222C063F1A06B4637623794A26.exe
1336 D0A927970E230756281222C063F1A06B4637623794A26.exe

pid	process
1336	D0A927970E230756281222C063F1A06B4637623794A26.exe
1336	D0A927970E230756281222C063F1A06B4637623794A26.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

D0A927970E230756281222C063F1A06B4637623794A26.exeTiktokSpammerTool.exeWindowsFormsApp4.exeWScript.exesvchosted32.exesvchost.exe

description	pid	process	target process
PID 1336 wrote to memory of 1592	1336	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 1336 wrote to memory of 1592	1336	D0A927970E230756281222C063F1A06B4637623794A26.exe	TiktokSpammerTool.exe
PID 1592 wrote to memory of 4840	1592	TiktokSpammerTool.exe	powershell.exe
PID 1592 wrote to memory of 4840	1592	TiktokSpammerTool.exe	powershell.exe
PID 1336 wrote to memory of 3004	1336	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1336 wrote to memory of 3004	1336	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 1336 wrote to memory of 3004	1336	D0A927970E230756281222C063F1A06B4637623794A26.exe	WindowsFormsApp4.exe
PID 3004 wrote to memory of 4972	3004	WindowsFormsApp4.exe	WScript.exe
PID 3004 wrote to memory of 4972	3004	WindowsFormsApp4.exe	WScript.exe
PID 3004 wrote to memory of 4972	3004	WindowsFormsApp4.exe	WScript.exe
PID 4972 wrote to memory of 2668	4972	WScript.exe	svchosted32.exe
PID 4972 wrote to memory of 2668	4972	WScript.exe	svchosted32.exe
PID 4972 wrote to memory of 2668	4972	WScript.exe	svchosted32.exe
PID 2668 wrote to memory of 1412	2668	svchosted32.exe	svchost.exe
PID 2668 wrote to memory of 1412	2668	svchosted32.exe	svchost.exe
PID 2668 wrote to memory of 1412	2668	svchosted32.exe	svchost.exe
PID 1412 wrote to memory of 4964	1412	svchost.exe	netsh.exe
PID 1412 wrote to memory of 4964	1412	svchost.exe	netsh.exe
PID 1412 wrote to memory of 4964	1412	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe
"C:\Users\Admin\AppData\Local\Temp\D0A927970E230756281222C063F1A06B4637623794A26.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
"C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TiktokSpam.js"
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
"C:\Users\Admin\AppData\Local\Temp\svchosted32.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
6⤵
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TiktokSpam.js
Filesize
778B

MD5
db484f181ba5b3d4b3ab651428501009

SHA1
407e2f2525f8be6da321a4f3915ab83627fc8ef5

SHA256
59a5f971895e0e23251c91d0d9e7830c4e0f553607c7e2b72502dc66d97bc0b7

SHA512
849dbc4850ec45b350171b6a9dd961b6d02bef3d9294f79b02aaea45815e5b170001a0656a43e0e12ff9b02f01f3f57f3d6f20f23218a6aa5b30e404294f9f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
Filesize
12KB

MD5
64a7e0429947daec5c28503be3d0d7ac

SHA1
c86c62a7f49ccb499af8eebf22950fc54dcb9bdd

SHA256
6fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772

SHA512
74c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiktokSpammerTool.exe
Filesize
12KB

MD5
64a7e0429947daec5c28503be3d0d7ac

SHA1
c86c62a7f49ccb499af8eebf22950fc54dcb9bdd

SHA256
6fc10838bdf49d8dfdd5d28e223be97e3813924d9ba116ac4c3dc40e2170e772

SHA512
74c432e51a513c969e1525a9eb0babb740d0b62b81f330971fb700e47c897cfa1842aa0d4fe594219ec450654300205d6ebd77678fe8ffdcac19fcb6716814a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
Filesize
15KB

MD5
5046a2ac28aa9c84e62eb49c7581028e

SHA1
f1966bab316f3c5d5675c46bd2d8fc82cb05390e

SHA256
77204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2

SHA512
913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
Filesize
15KB

MD5
5046a2ac28aa9c84e62eb49c7581028e

SHA1
f1966bab316f3c5d5675c46bd2d8fc82cb05390e

SHA256
77204ac3121a0bf6b0d221428e829da740bb6f63fbf4858ccadb927a16a107f2

SHA512
913bab9d02cf88f6b2ee451b218c90ab73d00a8f904e9b8df2430880edc2b9410f8a1f0545f1e09fbcdef74649a1b8de5eb4298796a7f520d216d2066498fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosted32.exe
Filesize
23KB

MD5
418c9939f93a41b2a91402a767ddf5ca

SHA1
284f5611c1dc4fe764cfc16303ddea7bec8d3f56

SHA256
fd44aa995fef8a05f659c47ffeb958ebd347b458387216263cc316fb8e05300a

SHA512
03b262b780dd34bb592539423bb57e5f2f7aae28a2c41fb46dda03de6357e7fd37f76fe2c87f2e08b0019dba0b70046b830908e9bc0faf398e2e8c586b06bd2c

Download Submit
memory/1336-130-0x0000000000500000-0x0000000000F8E000-memory.dmp

Filesize
10.6MB

Download
memory/1336-133-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/1336-132-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/1336-148-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/1336-131-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/1412-156-0x0000000000000000-mapping.dmp

Download
memory/1412-159-0x000000006C4D0000-0x000000006CA81000-memory.dmp

Filesize
5.7MB

Download
memory/1592-137-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1592-134-0x0000000000000000-mapping.dmp

Download
memory/1592-140-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/2668-155-0x000000006C4D0000-0x000000006CA81000-memory.dmp

Filesize
5.7MB

Download
memory/2668-152-0x0000000000000000-mapping.dmp

Download
memory/3004-145-0x0000000000000000-mapping.dmp

Download
memory/3004-149-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/4840-142-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-141-0x000001E1632A6000-0x000001E1632A8000-memory.dmp

Filesize
8KB

Download
memory/4840-143-0x000001E1632A0000-0x000001E1632A2000-memory.dmp

Filesize
8KB

Download
memory/4840-139-0x000001E17C0F0000-0x000001E17C112000-memory.dmp

Filesize
136KB

Download
memory/4840-138-0x0000000000000000-mapping.dmp

Download
memory/4840-144-0x000001E1632A3000-0x000001E1632A5000-memory.dmp

Filesize
8KB

Download
memory/4964-160-0x0000000000000000-mapping.dmp

Download
memory/4972-150-0x0000000000000000-mapping.dmp

Download