44caliber | 4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73267c2a412170b3f3df33616b1e1e8e.exe
Size

691KB
MD5

73267c2a412170b3f3df33616b1e1e8e
SHA1

bcc8e0537ea776cf75ea83aec75130fc5ba36b43
SHA256

4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
SHA512

3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
SSDEEP

12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score

10^/10

44caliber evasion persistence spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
920	netsh.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	Insidious.exe
2780	RuntimeBroker.exe
1220	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE
2568	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	Insidious.exe
2784	Insidious.exe
2784	Insidious.exe
2784	Insidious.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	Insidious.exe
Token: SeDebugPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	28
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	28
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	28
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	29
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	29
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	29
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	29
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	30
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	30
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	30
PID 2832 wrote to memory of 3008	2832	cmd.exe	32
PID 2832 wrote to memory of 3008	2832	cmd.exe	32
PID 2832 wrote to memory of 3008	2832	cmd.exe	32
PID 2832 wrote to memory of 2568	2832	cmd.exe	33
PID 2832 wrote to memory of 2568	2832	cmd.exe	33
PID 2832 wrote to memory of 2568	2832	cmd.exe	33
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	35
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	35
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	35
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	35
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	36
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	36
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	36
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	36

C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe
"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\RuntimeBroker.exe
    "C:\Windows\RuntimeBroker.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:3008
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
395B

MD5
2599c0b136996856d550ee5d1ea16a8b

SHA1
4a769a844cd27811a0642b3f31ad82f6a3c888a0

SHA256
21fb9d0d6ac39b88f2e6fdb3ea29196da51dab3f2055e835d9892432f59d7372

SHA512
6462deb228e0e15026405fa91d44d654cce793d29acf1db5bf25b7e145df73771317a0464c3cfd9ab53ee724524855f4d77dc0e7e8de8156b095444a9b36cde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
328KB

MD5
f6639aa0f7e43cf09431850b3f473238

SHA1
3c7740ceacf062f8d71095bb440e280fdd3372ec

SHA256
870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e

SHA512
1e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
260KB

MD5
1acabd72a026449937fc1cd16d0b5423

SHA1
809ea7e21d0e3d80a6445c245daa2e018a417126

SHA256
81634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2

SHA512
40fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d

Download Submit
memory/1220-87-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/1220-86-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-81-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-84-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-82-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/2780-42-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/2780-83-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-41-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-40-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-72-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-15-0x0000000002150000-0x00000000021BE000-memory.dmp

Filesize
440KB

Download
memory/2784-13-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2784-12-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-11-0x0000000000C50000-0x0000000000CA8000-memory.dmp

Filesize
352KB

Download
memory/2880-22-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-0-0x0000000000380000-0x0000000000434000-memory.dmp

Filesize
720KB

Download
memory/2880-3-0x00000000002C0000-0x000000000035C000-memory.dmp

Filesize
624KB

Download
memory/2880-2-0x0000000002180000-0x0000000002200000-memory.dmp

Filesize
512KB

Download
memory/2880-1-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download