Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16-05-2024 18:31
General
-
Target
leet-cheats-freeware.vmp.exe
-
Size
6.9MB
-
MD5
98396064f2a7683dcc23ba2dbdaac347
-
SHA1
09d6c4ca59e59265b17d448e5e0c5887171f03e0
-
SHA256
2dcfd9b32402fa9b0899100d5707b28552dc9d932548230af3aed4e2ae3c7bca
-
SHA512
5b634afa4720a11e7e5fa5c2c7fb8a1b421f94fb116d252c7c27b74bfc16eb6a3353f47ab94bab77d4fa79a49570a8a770a4ba0372408be6ef9af8f131a7ffed
-
SSDEEP
196608:D+Hi7E7LsX2GHY282Nhg5f4X6JiqO5ftIEDaajLeaK/mQ:aH74mGHQ2NmV4qJDO5ftYH/mQ
Score
10/10
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1239998001162883183/Prdtl-xV5N5KoPdJjFyeakzF-tcDlNNdpgQa5_WSJhD6azfB04Gi-4sCmpkCOwJ_5MMR
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe"C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2323.exe"C:\Users\Admin\AppData\Local\Temp\2323.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe"C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://unicore.cloud/drama3⤵
-
C:\Users\Admin\AppData\Local\Temp\loader.data"loader.data"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4636,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4800,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5104,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5424,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5436,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5928,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5452,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=4960,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3888,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4328,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x4f01⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5788,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2323.exeFilesize
303KB
MD56d4d2a454bc8728f442e32c4471abdbd
SHA1bfb79b63f606947623c418da921b65dd0a192b5e
SHA256926a0c168b569f523cfc1c88586bfaebad3cb5c8348da3978ea27442f49a89bb
SHA512ff30db6131e49f51fe9d18c2a3a3218b8b8ebfd7117dce7d9b7f8072b5eba12768e08ec723a0fd3ebd626f056b485bf7d18bd536fb0a3a8eeec88a107bdfe616
-
C:\Users\Admin\AppData\Local\Temp\leet-cheats.exeFilesize
6.6MB
MD513950d86cb3748b2a1f535eaace1a3d6
SHA19b1634057a11119ed38d1574bc2db160084cefd3
SHA25610328d771df10ba9f20ff5a65046d559bdf35d36855bba0af909febaee9e53a9
SHA5126ee06e0576d571f9e2fedbe904ecfab5a83b2fd8adc28d469ab08c728610eab215b8c6946feab8f4e33510978e879c66618225f23c4c3b6dff66b96147fd0964
-
C:\Users\Admin\AppData\Local\Temp\loader.dataFilesize
5.2MB
MD5b86bbb42b26e72a601087f68cda89208
SHA1baca49e35da3b83cd56ba579d61f98e9b137debe
SHA256320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0
SHA512e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974
-
memory/2336-59-0x00007FF6835D0000-0x00007FF6841FA000-memory.dmpFilesize
12.2MB
-
memory/2964-51-0x00007FF64D200000-0x00007FF64DF23000-memory.dmpFilesize
13.1MB
-
memory/3352-20-0x0000000000400000-0x0000000000AF1000-memory.dmpFilesize
6.9MB
-
memory/4772-12-0x000001F346910000-0x000001F346962000-memory.dmpFilesize
328KB
-
memory/4772-15-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmpFilesize
8KB
-
memory/4772-44-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmpFilesize
10.8MB
-
memory/4772-50-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmpFilesize
10.8MB