44caliber | 37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54b1da1c16d8dd8c121c95eaa705aa93.exe
Size

212KB
MD5

54b1da1c16d8dd8c121c95eaa705aa93
SHA1

95ea8c091e1550778ced92f61e795e071e3f25fe
SHA256

37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75
SHA512

570f620a7dade80891189dfad95c514da5f93ca2e650ebba6f72a18201db52252fc03b9bc77370445f2f62b5e903d68f39ba655b2ad453f22cb8ef243b853a2b
SSDEEP

6144:K8x1Nj/T9iK4Lpu6HPirxW+26NU7NBsp7:X1X4Lo6wxW+26NU7NBsp7

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	svchost64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	54b1da1c16d8dd8c121c95eaa705aa93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	NeverInjector.exe

Executes dropped EXE 4 IoCs

pid	Process
1416	NeverInjector.exe
528	1.exe
3188	svchost64.exe
4576	services64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3988	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	54b1da1c16d8dd8c121c95eaa705aa93.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
528	1.exe
528	1.exe
528	1.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
3188	svchost64.exe
3188	svchost64.exe
720	powershell.exe
720	powershell.exe
720	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
528	1.exe
528	1.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
2972	powershell.exe
2972	powershell.exe
2972	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	1.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3188	svchost64.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1416	2224	54b1da1c16d8dd8c121c95eaa705aa93.exe	118
PID 2224 wrote to memory of 1416	2224	54b1da1c16d8dd8c121c95eaa705aa93.exe	118
PID 1416 wrote to memory of 2380	1416	NeverInjector.exe	91
PID 1416 wrote to memory of 2380	1416	NeverInjector.exe	91
PID 2224 wrote to memory of 528	2224	54b1da1c16d8dd8c121c95eaa705aa93.exe	117
PID 2224 wrote to memory of 528	2224	54b1da1c16d8dd8c121c95eaa705aa93.exe	117
PID 2380 wrote to memory of 4612	2380	cmd.exe	104
PID 2380 wrote to memory of 4612	2380	cmd.exe	104
PID 1416 wrote to memory of 2648	1416	NeverInjector.exe	103
PID 1416 wrote to memory of 2648	1416	NeverInjector.exe	103
PID 2648 wrote to memory of 3188	2648	cmd.exe	93
PID 2648 wrote to memory of 3188	2648	cmd.exe	93
PID 3188 wrote to memory of 4008	3188	svchost64.exe	110
PID 3188 wrote to memory of 4008	3188	svchost64.exe	110
PID 4008 wrote to memory of 3988	4008	WaaSMedicAgent.exe	95
PID 4008 wrote to memory of 3988	4008	WaaSMedicAgent.exe	95
PID 2380 wrote to memory of 720	2380	cmd.exe	97
PID 2380 wrote to memory of 720	2380	cmd.exe	97
PID 2380 wrote to memory of 4376	2380	cmd.exe	100
PID 2380 wrote to memory of 4376	2380	cmd.exe	100
PID 2380 wrote to memory of 4580	2380	cmd.exe	102
PID 2380 wrote to memory of 4580	2380	cmd.exe	102
PID 3188 wrote to memory of 4576	3188	svchost64.exe	105
PID 3188 wrote to memory of 4576	3188	svchost64.exe	105
PID 3188 wrote to memory of 4700	3188	svchost64.exe	116
PID 3188 wrote to memory of 4700	3188	svchost64.exe	116
PID 4576 wrote to memory of 4792	4576	services64.exe	115
PID 4576 wrote to memory of 4792	4576	services64.exe	115
PID 4792 wrote to memory of 4564	4792	cmd.exe	112
PID 4792 wrote to memory of 4564	4792	cmd.exe	112
PID 4700 wrote to memory of 5072	4700	cmd.exe	106
PID 4700 wrote to memory of 5072	4700	cmd.exe	106
PID 4792 wrote to memory of 2972	4792	cmd.exe	107
PID 4792 wrote to memory of 2972	4792	cmd.exe	107
PID 4792 wrote to memory of 1956	4792	cmd.exe	108
PID 4792 wrote to memory of 1956	4792	cmd.exe	108
PID 4792 wrote to memory of 1296	4792	cmd.exe	109
PID 4792 wrote to memory of 1296	4792	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe
"C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4612

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
  2⤵
  PID:4008
- C:\Windows\system32\services64.exe
  "C:\Windows\system32\services64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
1⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 7d8cec6bd8258b56b2ddf3332e2c63ac Ci0q+QBvLUqAoQ3mXSiG5g.0.1.0.0.0
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
c23dd6dcde8637fd537eb142665a4edf

SHA1
ac1d3a691cdd37a8935734270e62186ae0c8f563

SHA256
3cd8c058466febed909675da97645ff2c364562a2bab260402185896aea8be59

SHA512
b16a7badf694741ddfe519d96418c36a12a315523c8045c60ff1af68886f377d3818c0346fb2ab9292182831869207b7219aad3dc27e37ee95372e59fa886bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe

Filesize
42KB

MD5
84cc0c40b8c1a3a5366d30e0c038bddc

SHA1
36a5f937988d9d2e8109885f1cc172abeca7c974

SHA256
5076d9fd2781dcfcb98b71ffa8b9bebab8c11499caf1af17a28e2b661853848c

SHA512
a23863de886c23df57dfd038dd7b9cc6a2c7ffcb48e555db8a71155de59f1dbb2fb412fdf1b5610e37e9011450d4adcf829947317901fd93ffa246f2aaac59a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jagi2jg5.q0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
36KB

MD5
1aa155e87018118aa94dcdad5e8bb3ee

SHA1
f3d9f7935170538f4219731aa27664dfd5fb6cc0

SHA256
7ac2a4b82c31b61fb520f69c33674247e75acbf2c93b7357edb7a62e443e475e

SHA512
8df2f7accb24dee4b3acc73fad33fd2adfc3988766c995efb52f677b9b81baeea243aa5c8a1c8596cc68269795017c7903faa3c372a3d8e2da791b0c6d2e11be

Download Submit
memory/528-343-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/528-359-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/528-129-0x0000000000360000-0x00000000003AA000-memory.dmp

Filesize
296KB

Download
memory/528-130-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/720-201-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/720-198-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/720-199-0x0000029DE8510000-0x0000029DE8520000-memory.dmp

Filesize
64KB

Download
memory/1296-406-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/1296-402-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/1296-403-0x0000026019780000-0x0000026019790000-memory.dmp

Filesize
64KB

Download
memory/1296-404-0x0000026019780000-0x0000026019790000-memory.dmp

Filesize
64KB

Download
memory/1416-128-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/1416-66-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/1416-162-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/1416-123-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/1956-389-0x0000016E9B440000-0x0000016E9B450000-memory.dmp

Filesize
64KB

Download
memory/1956-391-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/1956-388-0x0000016E9B440000-0x0000016E9B450000-memory.dmp

Filesize
64KB

Download
memory/1956-386-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/2224-0-0x0000000000630000-0x000000000066E000-memory.dmp

Filesize
248KB

Download
memory/2224-140-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/2224-2-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/2224-3-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/2224-1-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/2972-376-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/2972-372-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/2972-373-0x00000193B0280000-0x00000193B0290000-memory.dmp

Filesize
64KB

Download
memory/2972-374-0x00000193B0280000-0x00000193B0290000-memory.dmp

Filesize
64KB

Download
memory/3188-182-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/3188-174-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/3188-342-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/3188-180-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/3188-181-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4376-208-0x000001A515630000-0x000001A515640000-memory.dmp

Filesize
64KB

Download
memory/4376-314-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4376-202-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4376-214-0x000001A515630000-0x000001A515640000-memory.dmp

Filesize
64KB

Download
memory/4564-347-0x000002BB4B340000-0x000002BB4B350000-memory.dmp

Filesize
64KB

Download
memory/4564-344-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4564-361-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4564-346-0x000002BB4B340000-0x000002BB4B350000-memory.dmp

Filesize
64KB

Download
memory/4576-407-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4576-341-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4580-328-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4580-326-0x000001DD2EA90000-0x000001DD2EAA0000-memory.dmp

Filesize
64KB

Download
memory/4580-325-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4612-186-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4612-163-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/4612-179-0x000001B9EC140000-0x000001B9EC150000-memory.dmp

Filesize
64KB

Download
memory/4612-175-0x000001B9EC140000-0x000001B9EC150000-memory.dmp

Filesize
64KB

Download
memory/4612-173-0x000001B9ECA00000-0x000001B9ECA22000-memory.dmp

Filesize
136KB

Download