Overview

overview

10

Static

static

7

b6a21ab39a...2c.exe

windows7-x64

10

b6a21ab39a...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6a21ab39a7778dc807009a9cd23d82c.exe

  • Size

    943KB

  • MD5

    b6a21ab39a7778dc807009a9cd23d82c

  • SHA1

    817268a507ce95db80028c0b0b095a3b3ed1cbc3

  • SHA256

    6723c608be16ce8a8e79c52dfae90c4fefa55b386411ac977d9565e4308c727d

  • SHA512

    7587c25beb4853fe58cfd8c2cce0f0de0dd4e976824e580e4c2d71271f542ec6f9fbc0d7958e6da483dfe5e2a317e5dc6091c12319d2d94bfbfa973fbcd5a869

  • SSDEEP

    24576:iiSvJKfOVWGK+PvpWuiWIpOEYWtR167N:kKfIG+PvpWI4ti7

Score
10/10
44caliberevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6a21ab39a7778dc807009a9cd23d82c.exe
    "C:\Users\Admin\AppData\Local\Temp\b6a21ab39a7778dc807009a9cd23d82c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe
      "C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1956

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Modify Registry

    3
    T1112

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      1KB

      MD5

      8f013a31f35e43382f73c65d6ea49ae0

      SHA1

      4f6c30a6483522c2ff3e5789fc396f285b876c55

      SHA256

      04cb3846e0d11ad5d0450f797fb935d6d97f0267b7f713054b885e50c8bdb4ae

      SHA512

      90501fc8b5a7cca89dfbe2bbb3e257e36d3bb9d0a9bf67e8c80c04e9519aeac1f868d679ccdfbb37d4faa4a404c2cbf4842430009d6d85c81e48e8d73225d3a8

      Download Submit
    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      235B

      MD5

      8ed73b92f216a4e3c36187b732ec65cc

      SHA1

      8a2c43e5f12e2f8ea338113de88fbdab16ed5acb

      SHA256

      bd3bc72250bf29868c972ba29561f68196c2cd2eb4e62f262ef8233a172df7ad

      SHA512

      8608ec0f4ffbd5e5e16a16dd46cbfe4999aa2d042f363d0dff9e6f71b7f55485297cfcdab07ec4ecc041c8cb7d8d997d1cc6ff37600a1c772a55e6aa7a8fd576

      Download Submit
    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      572B

      MD5

      f3990e1f69c42b53f52f6ff14e1eda7a

      SHA1

      d081d86d00b710f6c47dce0fe4e6e80a8f234cc2

      SHA256

      b5e5aefb9bb5b395283037bb5890fbb97fdb48117a1db1d49ac93d3d67fd51ab

      SHA512

      893df12dbd61dbe9b0c8691f87d3f5e51e3ca0f12790e5907049d7dbf763a3c1889245d1f2215209c8e69864e591b4f0c6198810eb25d8a6b5d4d138bc68e761

      Download Submit
    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      902B

      MD5

      3b6b68f35c44b93f3d7b457ec3f65fbc

      SHA1

      06d542fe2496bcd3a7d32eef969ad9301fff1600

      SHA256

      51c38ee9b6d0f7952b2a1d25758ade44a8b08c7f4f4207f2eb5bd6b48c8bb13e

      SHA512

      3a8160907234befdafe9eb0425c221361d1709ddc192d3cad012b5a809093005fa70cd58575828d43de281dc1075e74bf36e13c46f3e3731a3697a29767384b4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Q4efoe5ztW.exe
      Filesize

      274KB

      MD5

      78fe81b560fe19e1a42a017a667f3f06

      SHA1

      4a75705ce154ef06374f1c48e7dcc321b8342d5a

      SHA256

      122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

      SHA512

      f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

      Download Submit
    • memory/1768-0-0x0000000000400000-0x00000000006C2000-memory.dmp
      Filesize

      2.8MB

      Download
    • memory/1768-43-0x0000000000400000-0x00000000006C2000-memory.dmp
      Filesize

      2.8MB

      Download
    • memory/3744-14-0x00000000007D0000-0x000000000081A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/3744-27-0x00007FFAE2B30000-0x00007FFAE35F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3744-34-0x0000000000F20000-0x0000000000F30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3744-143-0x000000001C0B0000-0x000000001C259000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3744-144-0x00007FFAE2B30000-0x00007FFAE35F1000-memory.dmp
      Filesize

      10.8MB

      Download