Overview

overview

10

Static

static

10

Softcoreinstall.exe

windows7-x64

10

Softcoreinstall.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Softcoreinstall.exe

  • Size

    274KB

  • MD5

    6d36919d059547c600e70d251864b691

  • SHA1

    5571a82c4fb5274e5d858448e51fca045c89c01c

  • SHA256

    cea25234ff6e1e950f760167de3dc0df47c921914cd81cb340d0d9af1ecf9b4c

  • SHA512

    c329d8929216e2f8c500c26d310c4b137385dd8e24d214feffcac79ac9e8e008f8c0909f83d80e27a76f8b4c0710b566e3dc4489172aa125cbf876ae659eaab9

  • SSDEEP

    6144:mf+BLtABPDFcYumU1SZedpXyEq11afTy4lI1D0hVw:kcNS0dpXyEqJF1Dow

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1215016857619275786/muCuwo2orfQ-J7FphyDUzXj-bBoSq2lVyekxXRaivuh5cbtqNobITDwhhjVdafZFaU9y

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Softcoreinstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Softcoreinstall.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3924
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1100

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      742B

      MD5

      f1599a704da72a3cf72f97c9e70ffb53

      SHA1

      f8588833c6fc6098c986b509a146a780b74f7b18

      SHA256

      687090b2acb8503cc621583eb2f5c12ec7fa8fa57d93dedbd6056bbaf51e1bf8

      SHA512

      4afba6afe652719752b77573f98f495884dfaa66bffedba75aef745f5348429e99436e101fc9a1171bd74716694364a623be1bb0303300bb13a56934fca64693

      Download Submit
    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      937B

      MD5

      a3e5d9f7b6468d14aeb1a8beac230198

      SHA1

      fcae335135071b04c375477fa64f6a8873acf809

      SHA256

      b0fc6faf86f3e84169b36081251a86aa6eed6e504ffb1fd9ef5086f0284de0ae

      SHA512

      36d392ef07f55184ce0643b390806c7e24ae154530c5dde288cb90154c2ef5be3afe0ae6fee54c708aee1fb4894c3821db72f08e337156a838d783e1a942464a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      5706b41a8a0471005a56d2cf70698ae0

      SHA1

      5fff568a5fc190d8f4239f6e3b3435c35db46b19

      SHA256

      a30c25b9f49b50ebace97a1182f72bd44ca0abdab8c72109f256da532b57bfe7

      SHA512

      ad62b93b7a178ec3d2f849b93377a3fb2ac17cd897428eaac81bde84542e72b87852ea215bf3708601d7fc7a06d65306580b0d223cc1df55092801349b5d8ba5

      Download Submit
    • memory/3052-130-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-138-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-142-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-143-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-141-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-137-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-131-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-132-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-139-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3052-140-0x000001A7E00B0000-0x000001A7E00B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3924-2-0x00000278C4660000-0x00000278C4670000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3924-0-0x00000278AA100000-0x00000278AA14A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/3924-129-0x00000278C4660000-0x00000278C4670000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3924-128-0x00007FFCA22D0000-0x00007FFCA2D91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3924-1-0x00007FFCA22D0000-0x00007FFCA2D91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3924-145-0x00007FFCA22D0000-0x00007FFCA2D91000-memory.dmp
      Filesize

      10.8MB

      Download