Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 12:35

General

  • Target

    de069850c1f3a9781055a89106a171eb.exe

  • Size

    841KB

  • MD5

    de069850c1f3a9781055a89106a171eb

  • SHA1

    e5ca37468e8000e2f2608459c35ebba2af038a03

  • SHA256

    98d5142945eee6b8913defa708a7a4d128c179d1dd5924b154a47cd90ed89244

  • SHA512

    07493910df95551c800250e54c570dc3d105688be9d8c8f40a61192e74da6e46ba3fad4163f6fee15e0c48c566a9a619b9d6ae2da36716baf08e62a630953bc7

  • SSDEEP

    12288:ofaU66HJrHH2+p5r8mUrdM8COTpbR1eamQpHonbvlF9omcNLcklRI2wQuES3ov5b:qAYllr8lTXpHgPNJBq

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe
    "C:\Users\Admin\AppData\Local\Temp\de069850c1f3a9781055a89106a171eb.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    188B

    MD5

    a33c71892417d78f54585ce9753b2e06

    SHA1

    d19b2fc77343499817461a36388124f8fa66f59d

    SHA256

    39310134685aadf725857c226e3b2b4067e2a6b2b1350ac0dad739fe48d2425a

    SHA512

    790805a1e1e91428b9e922d3a4335a12fb369b7787b6aa3e5aaae84d125d0f10007f75a666c95a3e5fbd11c3b12f7bb1bb0d857c56063b4c1a42039fe0141be0

  • C:\ProgramData\44\Process.txt
    Filesize

    397B

    MD5

    9fb8385cd8c836c02c5b32f7ac2b52d4

    SHA1

    c175e9dca57aacdf622a77d1dc7ef620b1d6162e

    SHA256

    fb290bd92d0c62396dbf9ab1f7fb83ec1ba373a26a9c7b5fcdc3a2cdb7f40c09

    SHA512

    fde6681b5ab337f84fbc93791670c6e938d6c506fd02921909fd0a6368f1cc15f6a5bc849954dc2b008978bb4c6e9398a997c4c4889a72ec5169f2307a99c29f

  • memory/2884-0-0x0000000001210000-0x00000000012EA000-memory.dmp
    Filesize

    872KB

  • memory/2884-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp
    Filesize

    9.9MB

  • memory/2884-2-0x0000000000340000-0x0000000000346000-memory.dmp
    Filesize

    24KB

  • memory/2884-3-0x000000001B0A0000-0x000000001B120000-memory.dmp
    Filesize

    512KB

  • memory/2884-49-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp
    Filesize

    9.9MB