Overview

overview

10

Static

static

10

leet-cheat...mp.exe

windows7-x64

10

leet-cheat...mp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    leet-cheats-freeware.vmp.exe

  • Size

    6.9MB

  • MD5

    98396064f2a7683dcc23ba2dbdaac347

  • SHA1

    09d6c4ca59e59265b17d448e5e0c5887171f03e0

  • SHA256

    2dcfd9b32402fa9b0899100d5707b28552dc9d932548230af3aed4e2ae3c7bca

  • SHA512

    5b634afa4720a11e7e5fa5c2c7fb8a1b421f94fb116d252c7c27b74bfc16eb6a3353f47ab94bab77d4fa79a49570a8a770a4ba0372408be6ef9af8f131a7ffed

  • SSDEEP

    196608:D+Hi7E7LsX2GHY282Nhg5f4X6JiqO5ftIEDaajLeaK/mQ:aH74mGHQ2NmV4qJDO5ftYH/mQ

Score
10/10
44caliberspywarestealerupx

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1239998001162883183/Prdtl-xV5N5KoPdJjFyeakzF-tcDlNNdpgQa5_WSJhD6azfB04Gi-4sCmpkCOwJ_5MMR

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe
    "C:\Users\Admin\AppData\Local\Temp\leet-cheats-freeware.vmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Local\Temp\2323.exe
      "C:\Users\Admin\AppData\Local\Temp\2323.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4772
    • C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe
      "C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://unicore.cloud/drama
        3⤵
          PID:556
        • C:\Users\Admin\AppData\Local\Temp\loader.data
          "loader.data"
          3⤵
          • Executes dropped EXE
          PID:2336
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4636,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:1
      1⤵
        PID:3280
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4800,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:1
        1⤵
          PID:4280
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5104,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:1
          1⤵
            PID:2104
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5424,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8
            1⤵
              PID:3412
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5436,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
              1⤵
                PID:2540
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5928,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:1
                1⤵
                  PID:2532
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5452,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:1
                  1⤵
                    PID:1792
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=4960,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:1
                    1⤵
                      PID:1048
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3888,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8
                      1⤵
                        PID:3068
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4328,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:8
                        1⤵
                          PID:2264
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x51c 0x4f0
                          1⤵
                            PID:3080
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5788,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
                            1⤵
                              PID:3204
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
                              1⤵
                                PID:2792

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\2323.exe
                                Filesize

                                303KB

                                MD5

                                6d4d2a454bc8728f442e32c4471abdbd

                                SHA1

                                bfb79b63f606947623c418da921b65dd0a192b5e

                                SHA256

                                926a0c168b569f523cfc1c88586bfaebad3cb5c8348da3978ea27442f49a89bb

                                SHA512

                                ff30db6131e49f51fe9d18c2a3a3218b8b8ebfd7117dce7d9b7f8072b5eba12768e08ec723a0fd3ebd626f056b485bf7d18bd536fb0a3a8eeec88a107bdfe616

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\leet-cheats.exe
                                Filesize

                                6.6MB

                                MD5

                                13950d86cb3748b2a1f535eaace1a3d6

                                SHA1

                                9b1634057a11119ed38d1574bc2db160084cefd3

                                SHA256

                                10328d771df10ba9f20ff5a65046d559bdf35d36855bba0af909febaee9e53a9

                                SHA512

                                6ee06e0576d571f9e2fedbe904ecfab5a83b2fd8adc28d469ab08c728610eab215b8c6946feab8f4e33510978e879c66618225f23c4c3b6dff66b96147fd0964

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\loader.data
                                Filesize

                                5.2MB

                                MD5

                                b86bbb42b26e72a601087f68cda89208

                                SHA1

                                baca49e35da3b83cd56ba579d61f98e9b137debe

                                SHA256

                                320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

                                SHA512

                                e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

                                Download Submit

                              • memory/2336-59-0x00007FF6835D0000-0x00007FF6841FA000-memory.dmp

                                Filesize

                                12.2MB

                                Download

                              • memory/2964-51-0x00007FF64D200000-0x00007FF64DF23000-memory.dmp

                                Filesize

                                13.1MB

                                Download

                              • memory/3352-20-0x0000000000400000-0x0000000000AF1000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/4772-12-0x000001F346910000-0x000001F346962000-memory.dmp

                                Filesize

                                328KB

                                Download

                              • memory/4772-15-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4772-44-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4772-50-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

                                Filesize

                                10.8MB

                                Download