44caliber | 4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3

General

Target

73267c2a412170b3f3df33616b1e1e8e.exe
Size

691KB
MD5

73267c2a412170b3f3df33616b1e1e8e
SHA1

bcc8e0537ea776cf75ea83aec75130fc5ba36b43
SHA256

4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
SHA512

3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
SSDEEP

12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score

10^/10

44caliber evasion persistence spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

920 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe

pid	process
920	netsh.exe

pid	process
2832	cmd.exe

Drops startup file 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

Processes:

Insidious.exeRuntimeBroker.exeRuntimeBroker.exe

pid process

2784 Insidious.exe
2780 RuntimeBroker.exe
1220 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in Windows directory 3 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3008 PING.EXE
2568 PING.EXE

pid	process
3008	PING.EXE
2568	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious.exeRuntimeBroker.exe

pid	process
2784	Insidious.exe
2784	Insidious.exe
2784	Insidious.exe
2784	Insidious.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe
1220	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1220 RuntimeBroker.exe

pid	process
1220	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

Insidious.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2784	Insidious.exe
Token: SeDebugPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe
Token: 33	1220	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	1220	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

73267c2a412170b3f3df33616b1e1e8e.execmd.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	Insidious.exe
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	Insidious.exe
PID 2880 wrote to memory of 2784	2880	73267c2a412170b3f3df33616b1e1e8e.exe	Insidious.exe
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	RuntimeBroker.exe
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	RuntimeBroker.exe
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	RuntimeBroker.exe
PID 2880 wrote to memory of 2780	2880	73267c2a412170b3f3df33616b1e1e8e.exe	RuntimeBroker.exe
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	cmd.exe
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	cmd.exe
PID 2880 wrote to memory of 2832	2880	73267c2a412170b3f3df33616b1e1e8e.exe	cmd.exe
PID 2832 wrote to memory of 3008	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 3008	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 3008	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2568	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2568	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2568	2832	cmd.exe	PING.EXE
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	RuntimeBroker.exe
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	RuntimeBroker.exe
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	RuntimeBroker.exe
PID 2780 wrote to memory of 1220	2780	RuntimeBroker.exe	RuntimeBroker.exe
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	netsh.exe
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	netsh.exe
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	netsh.exe
PID 1220 wrote to memory of 920	1220	RuntimeBroker.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe
"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\RuntimeBroker.exe
"C:\Windows\RuntimeBroker.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 100
3⤵
- Runs ping.exe
PID:3008

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 900
3⤵
- Runs ping.exe
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
395B

MD5
2599c0b136996856d550ee5d1ea16a8b

SHA1
4a769a844cd27811a0642b3f31ad82f6a3c888a0

SHA256
21fb9d0d6ac39b88f2e6fdb3ea29196da51dab3f2055e835d9892432f59d7372

SHA512
6462deb228e0e15026405fa91d44d654cce793d29acf1db5bf25b7e145df73771317a0464c3cfd9ab53ee724524855f4d77dc0e7e8de8156b095444a9b36cde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
328KB

MD5
f6639aa0f7e43cf09431850b3f473238

SHA1
3c7740ceacf062f8d71095bb440e280fdd3372ec

SHA256
870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e

SHA512
1e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
Filesize
260KB

MD5
1acabd72a026449937fc1cd16d0b5423

SHA1
809ea7e21d0e3d80a6445c245daa2e018a417126

SHA256
81634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2

SHA512
40fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d

Download Submit
memory/1220-87-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/1220-86-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-81-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-84-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-82-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/2780-42-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/2780-83-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-41-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-40-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-72-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-15-0x0000000002150000-0x00000000021BE000-memory.dmp

Filesize
440KB

Download
memory/2784-13-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2784-12-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-11-0x0000000000C50000-0x0000000000CA8000-memory.dmp

Filesize
352KB

Download
memory/2880-22-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-0-0x0000000000380000-0x0000000000434000-memory.dmp

Filesize
720KB

Download
memory/2880-3-0x00000000002C0000-0x000000000035C000-memory.dmp

Filesize
624KB

Download
memory/2880-2-0x0000000002180000-0x0000000002200000-memory.dmp

Filesize
512KB

Download
memory/2880-1-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads