Analysis
-
max time kernel
53s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-03-2024 17:58
General
-
Target
Softcoreinstall.exe
-
Size
274KB
-
MD5
6d36919d059547c600e70d251864b691
-
SHA1
5571a82c4fb5274e5d858448e51fca045c89c01c
-
SHA256
cea25234ff6e1e950f760167de3dc0df47c921914cd81cb340d0d9af1ecf9b4c
-
SHA512
c329d8929216e2f8c500c26d310c4b137385dd8e24d214feffcac79ac9e8e008f8c0909f83d80e27a76f8b4c0710b566e3dc4489172aa125cbf876ae659eaab9
-
SSDEEP
6144:mf+BLtABPDFcYumU1SZedpXyEq11afTy4lI1D0hVw:kcNS0dpXyEqJF1Dow
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/1215016857619275786/muCuwo2orfQ-J7FphyDUzXj-bBoSq2lVyekxXRaivuh5cbtqNobITDwhhjVdafZFaU9y
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Softcoreinstall.exe"C:\Users\Admin\AppData\Local\Temp\Softcoreinstall.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742B
MD5f1599a704da72a3cf72f97c9e70ffb53
SHA1f8588833c6fc6098c986b509a146a780b74f7b18
SHA256687090b2acb8503cc621583eb2f5c12ec7fa8fa57d93dedbd6056bbaf51e1bf8
SHA5124afba6afe652719752b77573f98f495884dfaa66bffedba75aef745f5348429e99436e101fc9a1171bd74716694364a623be1bb0303300bb13a56934fca64693
-
Filesize
937B
MD5a3e5d9f7b6468d14aeb1a8beac230198
SHA1fcae335135071b04c375477fa64f6a8873acf809
SHA256b0fc6faf86f3e84169b36081251a86aa6eed6e504ffb1fd9ef5086f0284de0ae
SHA51236d392ef07f55184ce0643b390806c7e24ae154530c5dde288cb90154c2ef5be3afe0ae6fee54c708aee1fb4894c3821db72f08e337156a838d783e1a942464a
-
Filesize
1KB
MD55706b41a8a0471005a56d2cf70698ae0
SHA15fff568a5fc190d8f4239f6e3b3435c35db46b19
SHA256a30c25b9f49b50ebace97a1182f72bd44ca0abdab8c72109f256da532b57bfe7
SHA512ad62b93b7a178ec3d2f849b93377a3fb2ac17cd897428eaac81bde84542e72b87852ea215bf3708601d7fc7a06d65306580b0d223cc1df55092801349b5d8ba5
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB