Overview

overview

10

Static

static

7

4e66b44231...6e.exe

windows7-x64

10

4e66b44231...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    219s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e66b442315b528793daf29f272beb6e.exe

  • Size

    13.2MB

  • MD5

    4e66b442315b528793daf29f272beb6e

  • SHA1

    5085c7f9d376063e9544fc9fe6c94a3567fae67d

  • SHA256

    f920013efc8d6839e9ff3a2ce43010e1fb46a941a95f99b8c39335d1fbb1bc29

  • SHA512

    5165565ebc68a408842cf6ea6bf14d60172d2f4fc2c684d16235db2368ae12f53277580fc2103eda1fc102bc68e8742882ab78e74b31ee686bd3c3c5941d89e1

  • SSDEEP

    393216:CWeWk6XZcIgBBQFOnQ+NZrqCkbEp+DNjyymL8AV:Cz6J7gP8OnQctRQg+hyyW

Score
10/10
44caliberevasionpersistencespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 21 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe
    "C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\duTN6Ni35B.exe
      "C:\Users\Admin\AppData\Local\Temp\duTN6Ni35B.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\dh4nEchLKF.exe
      "C:\Users\Admin\AppData\Local\Temp\dh4nEchLKF.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause > nul
        3⤵
          PID:4440

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Modify Registry

    3
    T1112

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      1KB

      MD5

      d5cf8a4033f37f34b41150044b0489ad

      SHA1

      5ee002332de080174440ce7f31282b0a4e8deaa4

      SHA256

      c87aa63a64d4d31086f537c50b94efc58a4e398f40bd667d9c6ac5368051c2da

      SHA512

      80a7ce2231f5ec184d70d2cc7a5ee491a2126a22373e49831611ea923506ad8cae500d0ab6dd2d88988a61b1856130a6249db0b3a0bbb08fd638386df66d9aac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dh4nEchLKF.exe
      Filesize

      2.2MB

      MD5

      1a28060afbe7090e66f18688345a3a53

      SHA1

      9d7e41c9ed5a72455bac961f740126dc410442a1

      SHA256

      461ab472b995efe30c6b885a347fcd2361f0fd8ce45763c113f4481cecc080b0

      SHA512

      4c63f9aafb8427c573b1c0f18bf3b962cba61fa1a4ad535a456a55b3e83ef74703db8f3b34b6c71d8143a807278c2f70587b726df15e8912f4f7a22898fdf27e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dh4nEchLKF.exe
      Filesize

      3.7MB

      MD5

      d15ffa0667171125f0467c85cf1241fc

      SHA1

      4db9d7e40a6a267c840c5e8f78ea7154f1fb9662

      SHA256

      dae1d4d82286a988da3e6c6967a006b354e8abc2d05c94cb8b8b2fdfdf5c8f11

      SHA512

      541ec4c55db79410691ac18e0644208dacf9dbdac4814bc2cd756f18011774f1ee3cbbe0e0a0b4479d26f1615fb0952f347906d9de49fdea99d77c19bdf90b7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dh4nEchLKF.exe
      Filesize

      2.9MB

      MD5

      05d78be10714ba294abcd3bfbc0013d0

      SHA1

      956ca007f0f64d47eda7c6f8d46de16cc22b9a14

      SHA256

      ae88ccb76ef976b895ffe64dfdbbbf3af0fb53fe6753cf78adf73e75690a072c

      SHA512

      8945d163c29fecf73bb6ffc52f5b42a7d85e0a93d396154c4d3c5f683de12f7c8db8df86a73a610151b3b33f216f380266839cc91dd8218ff66fe967ee65bb9d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\duTN6Ni35B.exe
      Filesize

      128KB

      MD5

      b80b3501199b7686fd7b11e822623ef6

      SHA1

      162cf3668222c0fd522c05b0d3138bd67bcbffed

      SHA256

      e7272833985742e6879ddc6d9f63f382ad277313a72f1c12cae0d7547318adb7

      SHA512

      7dbf3c71383cf90c71e762662700c1158ad991aba01d70ccff5d1c0e6a089c0ecceaf4584548ffa3afe82afacde2284c0ac6a3d80c1b75baf84e51d90576a381

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\duTN6Ni35B.exe
      Filesize

      210KB

      MD5

      9b3beec8b274fc52065670ffeb9d8895

      SHA1

      d8c79ac011f71f80e597e08c6fcfb1c04a5537a1

      SHA256

      fb4be4993bb0678fd5adc7bc3268e691ba6e3aadd5df83149e59e46fd0d69d05

      SHA512

      8a8d9f069a3fb2e248e9d8ce7b0d62b2c90c86d30cbbb898f57696298e46963b8374fb4c8a911ea34d331d13150db9ca47aed025c4d539db5b2feca5bb5c757f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\duTN6Ni35B.exe
      Filesize

      274KB

      MD5

      78fe81b560fe19e1a42a017a667f3f06

      SHA1

      4a75705ce154ef06374f1c48e7dcc321b8342d5a

      SHA256

      122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

      SHA512

      f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

      Download Submit
    • memory/1356-17-0x000000001B890000-0x000000001B8A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1356-16-0x00007FFCC5460000-0x00007FFCC5F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1356-12-0x0000000000B30000-0x0000000000B7A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/1356-164-0x00007FFCC5460000-0x00007FFCC5F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1356-161-0x000000001B890000-0x000000001B8A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1356-158-0x00007FFCC5460000-0x00007FFCC5F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3500-0-0x0000000000400000-0x000000000142A000-memory.dmp
      Filesize

      16.2MB

      Download
    • memory/3500-54-0x0000000000400000-0x000000000142A000-memory.dmp
      Filesize

      16.2MB

      Download
    • memory/5060-155-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-169-0x00007FFCE3460000-0x00007FFCE351E000-memory.dmp
      Filesize

      760KB

      Download
    • memory/5060-154-0x00007FFCA3470000-0x00007FFCA3480000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5060-58-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-156-0x00007FFCE3460000-0x00007FFCE351E000-memory.dmp
      Filesize

      760KB

      Download
    • memory/5060-57-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-159-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-56-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-55-0x00007FFCE41B0000-0x00007FFCE43A5000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/5060-165-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-166-0x00007FFCE41B0000-0x00007FFCE43A5000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/5060-106-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-168-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-171-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-173-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-175-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-177-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-179-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-181-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-183-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-185-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-187-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/5060-189-0x00007FF697240000-0x00007FF6986E5000-memory.dmp
      Filesize

      20.6MB

      Download