Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 19:53
Behavioral task
behavioral1
Sample
icode.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
icode.exe
-
Size
274KB
-
MD5
7fefc276f2e1ae851bef2b3be49ffa83
-
SHA1
083df00bb408f94805ec1e9cfa70c95cccf1b4c7
-
SHA256
b6d903a6675cad3991fc497696dd68fd108d835f577c2f97142593c2871461c7
-
SHA512
4dd1b172b78b444a8a6ca6b3d5987dba30b85600eb97feb6e2ad90288e1d8fc7c1e49be0b9565bbf23ef4f8236e16407f6f671351f4ebc4604ae00bf3f592d7b
-
SSDEEP
6144:5f+BLtABPDMtBBfn1Y0gIoHOQpafTyclI1D03e7:+tVvgIoHOOR1DF7
Malware Config
Extracted
Family
44caliber
C2
https://discordapp.com/api/webhooks/1177318846365978644/WqRVEpWYXkvEShUxMDfFChXP4hGQTeq-WCw7kZXxlaQ3h4sSnNIoFPbGdna5FGYOsBPj
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 freegeoip.app 8 freegeoip.app -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 icode.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier icode.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2488 icode.exe 2488 icode.exe 2488 icode.exe 2488 icode.exe 2488 icode.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2488 icode.exe Token: SeDebugPrivilege 3296 taskmgr.exe Token: SeSystemProfilePrivilege 3296 taskmgr.exe Token: SeCreateGlobalPrivilege 3296 taskmgr.exe Token: 33 3296 taskmgr.exe Token: SeIncBasePriorityPrivilege 3296 taskmgr.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3296 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\icode.exe"C:\Users\Admin\AppData\Local\Temp\icode.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783B
MD5a713d73417dd8ca9c2728582573dce02
SHA1e1538fac81b47bdb8c2af97b629c0bed4be4fbb2
SHA25655691a514112e6482306eb1af11b7541d2b71c5e4d8b78579f441c28e4d6d78c
SHA512ebc5499f6794eca56b564bb5d747323a7e8d2aa5241f0d9e473c37d148efc8c71e54b59fc889186790082bbdef571eca33f38ecd10538118693c212929442a87
-
Filesize
1KB
MD587689c87e20f4adbf9a90b59bd122209
SHA107f8531d5713ee944a6797c453c2a570cb18e8c4
SHA256e83cf85e5902e3e24f6cad91796095fdefb156100f9a15b8f7c335dfa794737d
SHA512e6e754a319f3289652bf11b40eefaeae6383b5e84b8ebd8db06a4cd3d0751bcf0502f14b54a78092d72359695f47965c6a6661fe9cd7186d18b033ff567b3778