Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

48ad7db5fb...65.exe

windows7-x64

10

48ad7db5fb...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48ad7db5fb10dd9b1c6817d5a9c34865.exe

  • Size

    2.2MB

  • MD5

    48ad7db5fb10dd9b1c6817d5a9c34865

  • SHA1

    2fd68670f13f6335a2361fbdd7ed6c36b9f4863c

  • SHA256

    44cf30bb3e4623c4374ab4132bd419d3a63f119b36eaf66f1a5258e36df3b60a

  • SHA512

    7782826d586098b94e2c10a801881e0104784406d9d496c98b2932a33b28f2b0724be7eb25f158223f84483795b4bb768f7e2ad15799c9cb4b2577888909c3fb

  • SSDEEP

    49152:pSezyzdsk+1US6FOZyj2Zi8kwUP+9uNMYuv+ShQFZS:pSdsk+ySemg2Iw0+YChv+Shx

Score
10/10
44caliberevasionspywarestealertrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/850985103400108043/qMVlcxRCEtOy4d0lLo-ckGGqIgWka8O5mwrGC7NwW7qRJs5beglorhRUk-uRy4jQ1Cbz

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe
    "C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\12312.exe
      "C:\Users\Admin\AppData\Local\Temp\12312.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\12312.exe
    Filesize

    60KB

    MD5

    f18cf2c76c5e8283a9d81640b198e01b

    SHA1

    29d2b98d71a263ee319cc65109e7325604d203d0

    SHA256

    b54d12aafa616be9524995f8df0527848776c08432556c178667e1429744e34d

    SHA512

    9543bd395281d41c7fafc470812bb920cbd70b918c864b3b245451a2b679ab621401c4857c8da000f952ae73e3c3f084aaaf74a15dc91966caf7680b84f1da04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe
    Filesize

    274KB

    MD5

    cc0f9ce3587d6a0ee7390ccf8567b764

    SHA1

    0d6b82a85b3ccf11a01482832fcb28e8f97ed68c

    SHA256

    7ce1e233b1994f4db7ded9540bc77f86608a8fed62ed9f58a36aedb9be3723b8

    SHA512

    b56fe5774b378c5dc6c73f9807e07062286b20077cf6a2ba4328d40ae597c0896dd97f955571893fad9e2e88eecd8fb7ffee84261caaee0171cd33e04452e160

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1013B

    MD5

    21f2494811ad8090d37728f655b2ac83

    SHA1

    c0a7fb5b68e96b01057cf271e7c773335a6563b4

    SHA256

    219275ecde00dd7361331f4ee87531cbb8bf0c7b961ad18c3bfcfc06b05ae94d

    SHA512

    f7b604b97f9bc226b2f89541900f80872125d014707a92afb5996f591ba65631661ef46541ff4433e855466d419b0a2e5d33ad61dd021840edeb1cbf634f75d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    b8d5d191df018ff40db08abace90b4c8

    SHA1

    65e3ac38167a4d624c59c2f385398ebcdd73c160

    SHA256

    c65ead65ee35edd71773c2d110a5fc2c761bbe469913e0be71ce383e6b0662f7

    SHA512

    08850f90e8f69e9e10460054eb1f5fa5bb59f28bc0bf8805acfc73dfefd0aa9f3e4a1c12cd4b16b81746ff6672d74c37961fb6c081ab1ff45b9289ff29176d2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    6fee405d6806fb462c7427b362695935

    SHA1

    65191f338fec4d6dabb6195524daf29f61a2d137

    SHA256

    4ee9ab9ad765ece3fd26f92fd2be5fe50f7f0b61ad9909d830441c566193fcad

    SHA512

    e45c02c8826b4321d081a93b654e0e33a446bada3156a1162e0f3e389e2037d0636dd91348e5a7a4fdd075e866fe7c5bbef6c1b6867560f0b7e67aae62a96233

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    465B

    MD5

    5d1051b2c74ce3ef4abbc8e6d99fdcef

    SHA1

    d21ccb43418123147058fda7756593553c3cf2dd

    SHA256

    ed7b9c9493e8f75e19c5f4c3662eb11f02c8a8d0839b1b2c8bba26e85c473020

    SHA512

    2b4ce7c15040c79798a29be883315e5e3a28d98d5d8171565987a301fd1731ae859c2b49c0fdd1bc80f0ba3a6dafb9bc4c6f98b6363de7416d61a14bbd57c88b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    681B

    MD5

    d5635f034b677b820e923a72a88444fa

    SHA1

    c204e0d72afe36cf930410d7f6842e5a9e14bfaa

    SHA256

    b19345dcf40604c47849056860e26eecb0321c6e1a6a97e2d90ff62578cd69fe

    SHA512

    98ea0f93a4a0b7a5e926e85faed6f980a3745abab265c33cf5dc84653bdbe2d16f7140ac555ac0f11fc75ac6f2535bf239e2942b461d8147b1d878b6a4fde6bd

    Download Submit

  • memory/4624-26-0x00007FFEC0AD0000-0x00007FFEC1591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-50-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-21-0x00000000000E0000-0x000000000012A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4624-151-0x00007FFEC0AD0000-0x00007FFEC1591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4976-0-0x0000000000400000-0x000000000092D000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4976-25-0x0000000000400000-0x000000000092D000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4976-3-0x0000000000400000-0x000000000092D000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4976-4-0x0000000002C40000-0x0000000002C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4976-5-0x0000000002C50000-0x0000000002C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4976-1-0x00000000774F4000-0x00000000774F6000-memory.dmp

    Filesize

    8KB

    Download