Overview

overview

10

Static

static

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    208s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.0MB

  • MD5

    068b814729f1551a3c70948c272aab19

  • SHA1

    df09efe5bf2dc3becd036fc093e2d55a15420784

  • SHA256

    428b9f5ed5e3be5456fa65110d9a815fd6f75a8c41764874baa4c88b90397ca2

  • SHA512

    16093eb09d49b0e20c87fa0c8632861083402ccad9f30a5d6ba9cb04d3b5d7b270831fb88d1448e08cca7efa3ad435bd81919e5a9c2214c9a87602cd2dac6781

  • SSDEEP

    24576:ZEKhoSmPiUn1jPT6oo8Ox9IXiwdLCoFVkl31VVTK:6Khq198KyqFVk5V

Score
10/10
44caliberasyncratpersistenceratspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1043626101374722138/8xjZH2IjxwGT5aAEHFsAIW0nkW0RHIIuUmTxgat5PUV7dxRM1ocpOk0zFZpczNcvlCjk

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 7 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4232
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4232 -s 1516
        3⤵
        • Program crash
        PID:3308
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Executes dropped EXE
      PID:1540
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1540 -s 1076
        3⤵
        • Program crash
        PID:4384
    • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\NoInstall.exe"
      2⤵
      • Executes dropped EXE
      PID:60
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 60 -s 1088
        3⤵
        • Program crash
        PID:4168
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\42298a4aabb74e4fb3dd1e825a2e8445 /t 2848 /p 2032
    1⤵
      PID:2204
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
        2⤵
          PID:3492
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 560 -p 4232 -ip 4232
        1⤵
          PID:2816
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:548
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3544
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 452 -p 1540 -ip 1540
          1⤵
            PID:4768
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 832 -p 60 -ip 60
            1⤵
              PID:4876

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            2
            T1081

            Discovery

            Query Registry

            4
            T1012

            System Information Discovery

            5
            T1082

            Peripheral Device Discovery

            2
            T1120

            Lateral Movement

            Collection

            Data from Local System

            2
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
              Filesize

              305KB

              MD5

              3c15c850db18c3ead48ab1929a5aa925

              SHA1

              e2bdd8fe8b6f48fa55d6fce766456b825e16cb26

              SHA256

              190c982b8df7adb7a1c7a1ba5f2582cc8c1f3de4dfad31b42ca914ed31f6d8d2

              SHA512

              1300336b1d3b1ecc4b6f99bf5dbff65260405154b55e882badc45ef10460d0a3eaba9b5b9fcc9f6f6b18cf9dc55f77c127a84000aaeb008111903e292efa8989

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
              Filesize

              305KB

              MD5

              3c15c850db18c3ead48ab1929a5aa925

              SHA1

              e2bdd8fe8b6f48fa55d6fce766456b825e16cb26

              SHA256

              190c982b8df7adb7a1c7a1ba5f2582cc8c1f3de4dfad31b42ca914ed31f6d8d2

              SHA512

              1300336b1d3b1ecc4b6f99bf5dbff65260405154b55e882badc45ef10460d0a3eaba9b5b9fcc9f6f6b18cf9dc55f77c127a84000aaeb008111903e292efa8989

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Install.exe
              Filesize

              48KB

              MD5

              d96a7317fb4d70cbe07a8fb364adbc21

              SHA1

              5f674dcb3f9ccdafb94a0d983af4a959be9b4e05

              SHA256

              85f48626e6bee0b259faa4bb80e4af57c4466e1c2b5ed9e17ea02e2b59d83b40

              SHA512

              cc49023ba6a799d02eba8d3119c66e5533be4e3d9e59455702b4c69e852fb4655c1ddb6498b33aa3c88d88c2da1435b5e00226e71c68b38084b82d3fdc0a2e77

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Install.exe
              Filesize

              48KB

              MD5

              d96a7317fb4d70cbe07a8fb364adbc21

              SHA1

              5f674dcb3f9ccdafb94a0d983af4a959be9b4e05

              SHA256

              85f48626e6bee0b259faa4bb80e4af57c4466e1c2b5ed9e17ea02e2b59d83b40

              SHA512

              cc49023ba6a799d02eba8d3119c66e5533be4e3d9e59455702b4c69e852fb4655c1ddb6498b33aa3c88d88c2da1435b5e00226e71c68b38084b82d3fdc0a2e77

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
              Filesize

              48KB

              MD5

              8732042e1be56177b23d3c87a08d2220

              SHA1

              ba4b8314ad52256d66dcb83d79ac31da48a25d62

              SHA256

              d8062dac6b24dff7d13472a8805634e42b99824b270b06c8c1ab9d91a3c83cf2

              SHA512

              8f5600b6388bbdc0f5a4ba54ee1f786e50fdcd91728cefdde3ea0635e8726a59894fd8949cf5b027d848ccec77597ec67b73e58879541521e99f94e675fff89c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
              Filesize

              48KB

              MD5

              8732042e1be56177b23d3c87a08d2220

              SHA1

              ba4b8314ad52256d66dcb83d79ac31da48a25d62

              SHA256

              d8062dac6b24dff7d13472a8805634e42b99824b270b06c8c1ab9d91a3c83cf2

              SHA512

              8f5600b6388bbdc0f5a4ba54ee1f786e50fdcd91728cefdde3ea0635e8726a59894fd8949cf5b027d848ccec77597ec67b73e58879541521e99f94e675fff89c

              Download Submit
            • memory/60-142-0x0000000000000000-mapping.dmp
              Download
            • memory/60-183-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/60-151-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/60-147-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/60-145-0x0000000000E40000-0x0000000000E52000-memory.dmp
              Filesize

              72KB

              Download
            • memory/308-132-0x0000000000400000-0x0000000000503000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/548-163-0x000001E7BDDD0000-0x000001E7BDDF0000-memory.dmp
              Filesize

              128KB

              Download
            • memory/548-178-0x000001E7BE8A0000-0x000001E7BE8C0000-memory.dmp
              Filesize

              128KB

              Download
            • memory/548-216-0x000001E7D1BB0000-0x000001E7D1CB0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/548-161-0x000001E7BB0E8000-0x000001E7BB0F0000-memory.dmp
              Filesize

              32KB

              Download
            • memory/548-166-0x000001E7CE9E0000-0x000001E7CEAE0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/548-169-0x000001E7BE6E0000-0x000001E7BE700000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-146-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1540-138-0x0000000000000000-mapping.dmp
              Download
            • memory/1540-150-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1540-181-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1540-141-0x0000000000020000-0x0000000000032000-memory.dmp
              Filesize

              72KB

              Download
            • memory/3492-148-0x0000000000000000-mapping.dmp
              Download
            • memory/4232-136-0x000002C7B31A0000-0x000002C7B31F2000-memory.dmp
              Filesize

              328KB

              Download
            • memory/4232-179-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4232-137-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4232-133-0x0000000000000000-mapping.dmp
              Download
            • memory/4232-149-0x00007FFBB8BE0000-0x00007FFBB96A1000-memory.dmp
              Filesize

              10.8MB

              Download