Overview

overview

10

Static

static

3

ovisetup.exe

windows7-x64

10

ovisetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ovisetup.exe

  • Size

    3.7MB

  • MD5

    706efb0990f7aa5332f8ef6f3b1c5993

  • SHA1

    ad57d0f430a79cbd1a1fcf27907bd15894103b13

  • SHA256

    bb5c467c398cbbb648668f5aaec8da190eab2de1fb2ee47d0e03b01483b4f53e

  • SHA512

    3a050d8854f8b8915ccbcb79a4883547b0e408c9ca327a0793cf21c7acddab4cde3f3619b741eb37b3dc98211ae0d7b65cea0f57a11b6bfc5d054c0fd3497233

  • SSDEEP

    98304:GVGtaEm35Jo2PTZpZq49ACYc18nxIusLz6cMlGWwH/gZGcg:SGtdz2PzA49AFcinbsLz84rfwGR

Score
10/10
44caliberevasionspywarestealertrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1140967450750484572/9nxWu2w_HfkHC1lMMNnzNPxLArNJ-MGc7djzUyKDcKdtmuzCF7HY_Gilg6rdXdzPw-v4

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ovisetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ovisetup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\cheats.exe
      "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe
      "C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4836
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2372
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4068
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4508

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      5
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      6
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cheats.exe
        Filesize

        274KB

        MD5

        e7e9740dac490c26ac841fb3cbdcd130

        SHA1

        3747c1931aaf82a234b97369c58f36a98a9c8453

        SHA256

        d1db9e33522f50a835616658c4fd2831d87fa9db303bdf9e4571d45f94977a42

        SHA512

        eb12a5a86ed17ce5541d3bc3333a9b7f81fbdda99aa4f5bc5750ff83741e9678ac73d85c5d83337cb36851411a7704f9e3f72fb67216816a452694becdc8b7de

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe
        Filesize

        4.3MB

        MD5

        8b46261cdc4e3e422295a4d5031acf7c

        SHA1

        8baa5f9a0e01cfadf533d47d941e2aad779b5774

        SHA256

        4a3ea8123316dd531d080ebd15f50dd1448e7d443c45c81d59556efb7265900f

        SHA512

        20ead053166527914d2d95b5360b49093c35ba4b283fa24479bd0bc4bff426135a2076da3f2ef36bf2d875a454bd71bc785b2c79833ee46804e4cc066a25f796

        Download Submit
      • C:\Users\Admin\AppData\Roaming\44\Process.txt
        Filesize

        1KB

        MD5

        06d2db312383bb3ae3bbb1fe00a99f8b

        SHA1

        4bd3bed39a3e5ca0f0326e05edfbb85653331d2a

        SHA256

        f72c7ffe945a7a5e8e39d73be15aa459d5c12735a8972dad57dc5e151894db5a

        SHA512

        dc109b0391fcc062795b1196f1a7c8973461da4b4037d288a0683e66bd0d5e6b1147d187584140f56ee19ff42cdbf7fdad2ab00a6d032d071b9197c34be2425f

        Download Submit
      • memory/2372-60-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-58-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-50-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-49-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-61-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-55-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-59-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-51-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-57-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2372-56-0x0000013901FE0000-0x0000013901FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3852-18-0x0000024C76620000-0x0000024C7666A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4836-46-0x00007FF75A8E0000-0x00007FF75B181000-memory.dmp
        Filesize

        8.6MB

        Download
      • memory/4836-160-0x00007FF75A8E0000-0x00007FF75B181000-memory.dmp
        Filesize

        8.6MB

        Download
      • memory/4836-162-0x00007FF75A8E0000-0x00007FF75B181000-memory.dmp
        Filesize

        8.6MB

        Download