44caliber | 3bf062d997913c12bcee479623af730d98be59993a704abbddffed5e7fa604d5

General

Target

deadsense.exe
Size

274KB
MD5

3052e30d962a23b4e3766f025b8d6c21
SHA1

97bec7796489888ad6aacdc5f3281f88c0287cf1
SHA256

a35b29189e4ea69890b73e5c64a26a3badc61b9e2084ddfa1a959bc6241ff1dd
SHA512

cf9a993eeba2440a6bacedff874a3b84e7112e6f11dfebc4d591380b462bdb1a247099290c5fa448d0431daa7ec55080db6d23219da1c10ca2a168ade5e4b680
SSDEEP

6144:Zf+BLtABPDWlR1ZroWT0Ilb5wqlYeJClA1D0Ne9:4luK0Ilb5/lYe11Dx9

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1106246820465754193/PhLXU_8QVd9PKEsWp1wYfiuAgulXvdo3vNtxDX_F2rZvdBoVeobiSd4lhoRwXHxlyOwF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deadsense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	deadsense.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	deadsense.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

Groove.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	Groove.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt	Groove.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	Groove.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar	Groove.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	Groove.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

deadsense.exeGroove.exe

pid process

2372 deadsense.exe
2372 deadsense.exe
2372 deadsense.exe
2372 deadsense.exe
1332 Groove.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

deadsense.exe

description pid process

Token: SeDebugPrivilege 2372 deadsense.exe

pid	process
2372	deadsense.exe
2372	deadsense.exe
2372	deadsense.exe
2372	deadsense.exe
1332	Groove.exe

description	pid	process
Token: SeDebugPrivilege	2372	deadsense.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Groove.exeDW20.EXE

description	pid	process	target process
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1332 wrote to memory of 1148	1332	Groove.exe	DW20.EXE
PID 1148 wrote to memory of 1888	1148	DW20.EXE	dwwin.exe
PID 1148 wrote to memory of 1888	1148	DW20.EXE	dwwin.exe
PID 1148 wrote to memory of 1888	1148	DW20.EXE	dwwin.exe
PID 1148 wrote to memory of 1888	1148	DW20.EXE	dwwin.exe

C:\Users\Admin\AppData\Local\Temp\deadsense.exe
"C:\Users\Admin\AppData\Local\Temp\deadsense.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332

C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1324
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1324
3⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6FBD882C-1B38-4BE2-B19D-6F722B491FAE}.FSD

Filesize
128KB

MD5
4791a7dd0bdf12d24c0d97edf5480b28

SHA1
6cca8333432073deb292404d313b72c60b2ce972

SHA256
8bb3af420aeaf8af9dc5b97d6bc5fee4c3b57d7f66de621e9e628d05591e1f8b

SHA512
8ea98e0e4c482362cc09f3b1735fe868ee38f100ed47b4dd01a0c5c51c7591ff2f1f6d8e5560a7e76306a553b59ba1c03c43424022310eeee0dd966cf6d32360

Download Submit
C:\Users\Admin\AppData\Local\Temp\259467118.cvr

Filesize
560B

MD5
65e3e3812afa0df536f78048305e5847

SHA1
f783c0964b05cfc79489334958d1d7d4b7c17b27

SHA256
6985b2832de53a3567fb72918255cf65d429ff2e87b077d0113fb20c32ebc956

SHA512
2e9a5e280a834ab35cc6968b0f4eec4ef64c8aabeffcb954833024a83a78aa51832f92a55fb7e6c1a2adadc3fdc59e5445bd3437a7b9df0dd5676f1283533955

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B246FF30-286E-413A-AEA8-8DABD2C1369C}

Filesize
128KB

MD5
82d5f2735355d4e27384d918fde30a13

SHA1
34cb24c00e5d5f5f2ed7c98eb70fc21f7be2a1c4

SHA256
5056784a3a6df6795fe090bc0b4cc1129b4724f499d3922d31f13f952099c8d3

SHA512
e63a45c794d16ff78d9eb2fd1361c75c46a7d40f18883b786254d26d08fe4ddb5fc68563f91445277b6c7f9c1e60112a7d0d1a6a14246d181583cbba458e7ee4

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
159B

MD5
adf6abbfdc3d7c790e1cc3f61fe795ae

SHA1
fd7bd6ddf566baab108a27cc4000eec2cbc38395

SHA256
a7e69d7be47aae6db55b5f6accc173e7f45ebb92c057be63b333732bec862cb6

SHA512
f7be7dd5998a2615462934364bca133ae84d92ae194e7939fcc3f9ec0d1ec4deba5308216bce5edcf4c8ec17b30fd8160eec08138b60b458a9f57868395c28b6

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
348B

MD5
5f099c91e7e606c55873319b3189df1b

SHA1
32f90d752502abf0c4673ea953b4506f86f13468

SHA256
d42dc02aac3c6c2182b60681f3f4f8a8756f02db6dc865ab096af674571307b0

SHA512
8be75bab67c035d452bb063e35c699331b016b0be26d99ac5353305a039b5866b9c744daab99fe214016124323acb0298b384b33789a94c665974ff17e15ec4f

Download Submit
memory/1332-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1332-51-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1332-52-0x0000000073D7D000-0x0000000073D88000-memory.dmp

Filesize
44KB

Download
memory/1332-113-0x0000000073D7D000-0x0000000073D88000-memory.dmp

Filesize
44KB

Download
memory/1888-112-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2372-49-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-0-0x0000000000BC0000-0x0000000000C0A000-memory.dmp

Filesize
296KB

Download
memory/2372-2-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2372-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads