Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 04:43

General

  • Target

    66721cc45af725f154418a09d4a68ec6.exe

  • Size

    747KB

  • MD5

    66721cc45af725f154418a09d4a68ec6

  • SHA1

    632a75f4263174cc19942a144fc7087b00b5486e

  • SHA256

    0ea8e2910cb2a2a4b11be49d5e126ee142006b8081835e0a7df915d7888298ba

  • SHA512

    dfa77713a46330fec13af7a613713920a0d20ba6ab29fff636c0ce0bfdec4d618f078dbd1ec3b84dd68199275d05d26cce9daf2b2fdfad234e842b01e1911cbd

  • SSDEEP

    12288:VhqxSLo5C1Ps4XhWT+trB8lUvGNVB6d/30BPU54PaklHqs:VHLmCiIhjjGvcdclU5kbp

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/882699814805061663/t2OYL-mIrPiqG-u99L6kOBVeFW3ZztNOFcMlV1t3d2KjSF7XPZFr5kxG0S2tgFW28GHF

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe
    "C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Start1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • \??\c:\Desktop.exe
        Desktop.exe -p111 -dc:\
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Start.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4824
          • \??\c:\Insidious1.sfx.exe
            Insidious1.sfx.exe -p11 -dc:\
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Insidious1.exe
              "C:\Insidious1.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Desktop.exe
    Filesize

    581KB

    MD5

    fd5dad667edc46daef933b35d05f8555

    SHA1

    fe97457b62dc2b71ee3f442ca806f4e020475821

    SHA256

    e550ae31e23fc9e4f7b543263a85a075ff727690e17e735afd2b999640612be7

    SHA512

    d416f7d05ab37b2871c74d7c4d504c14eef08a27835c2250e2e38f1a4eba1e5f326e0b19778bbc4a017dfedd1d1ac9d510e651e7ba21d98e0b5df8784f83dd6d

  • C:\Insidious1.exe
    Filesize

    303KB

    MD5

    db8d2a2fcd06de834a1ccbfe1a5f182a

    SHA1

    2dce3f7bdce5f787d43c42166ec25fbed59470de

    SHA256

    68c85fe1a8153965c5dcfe7301a14afe652912f75a85eaa7f907ddbdb047a0b4

    SHA512

    248284eaec4838bc9e474136953886dc4d90ac62d916724a201b9740908a925ccf365ae8f99969f148e75a55a50de9bb28417bdbae0e5def8ecd78a11874815d

  • C:\Insidious1.sfx.exe
    Filesize

    418KB

    MD5

    97d291eaf4c5046fbd724e87e006ce94

    SHA1

    269738e66f84b27c3dec9e27070d6c7fccfdfb65

    SHA256

    94b9e1e21470a25b4dfa17d36e70a54e23e1df185b477bf6bddc6b3c7d1743c2

    SHA512

    45079a4d4b486b71ad9390dc12c765e3a549d5c6499fc66722bd020ad9731dbdf983c8e0475c7405e00d5f4fb97030404f7584042b9dc66b3bb105270ff90e17

  • C:\Start.bat
    Filesize

    29B

    MD5

    71ee9d9a6379f874b0391a811b120ed6

    SHA1

    d72daa6e8cc433812422c8b83665956a27529296

    SHA256

    9acfdb4c69071efb2fabc3ef76bdf7cb57c6eb7c03b7882ec8e4556e55afed26

    SHA512

    e81e38392d33c749bf06fc52cbd2d238891ae1217465f336fbedaeeb3d402c150c2cd16878ce8a0e4684590d95820d0f889d02f3c79fbb8df3715cc693a3f52f

  • C:\Start1.bat
    Filesize

    23B

    MD5

    77b8ac7a86cb4e34951cfff168040f46

    SHA1

    4e1eaad838d486f4426a46d16c1f764aab36968f

    SHA256

    19cba8521d8223059b7571874b2a89f8a6cedce5b30cbfd16235487f7a40a606

    SHA512

    b142844931ec155bbaf442be6815c48c94dcaf3ce85ee29fbb5e5c3f74ca3943d2c3c0b02e71cca7e069250391bf82a07c31bd53e9f11dc1797c0566530a68d0

  • \??\c:\Desktop.exe
    Filesize

    514KB

    MD5

    1aff91676232aba9213de43b5d3b97d3

    SHA1

    7a925b90020abd023ec729c3ed67288635b0add8

    SHA256

    07e1618e2c1abf70081ac15aaf945f31338730bf945ac15be36299d99443f77b

    SHA512

    17db410d38a3bd2489cfa613904ba9ed48b859e83372c4510bacd09477839538ba3e7e39c860aaca92dd1e3f6e074736aa14d7b531d03fe4c2f5f2e26da83966

  • memory/2860-32-0x0000000000250000-0x00000000002A2000-memory.dmp
    Filesize

    328KB

  • memory/2860-59-0x00007FFBDE840000-0x00007FFBDF301000-memory.dmp
    Filesize

    10.8MB

  • memory/2860-64-0x000000001AE70000-0x000000001AE80000-memory.dmp
    Filesize

    64KB

  • memory/2860-65-0x00007FFBDE840000-0x00007FFBDF301000-memory.dmp
    Filesize

    10.8MB