44caliber | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Reason

Machine shutdown

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

44caliber xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1257280785476489217/L0UpV_ifGB55FAhZrd11A9RdK3XS9SxV4y_plmFbDZcUnmaJOTP9fgCIl4fpiKvDuv1o

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2764-1-0x0000000000AD0000-0x0000000000AE0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2948 powershell.exe
2648 powershell.exe
2520 powershell.exe
2536 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ltxxor.exe

pid process

660 ltxxor.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2948	powershell.exe
2648	powershell.exe
2520	powershell.exe
2536	powershell.exe

pid	process
660	ltxxor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeltxxor.exe

pid process

2948 powershell.exe
2648 powershell.exe
2520 powershell.exe
2536 powershell.exe
660 ltxxor.exe
660 ltxxor.exe
660 ltxxor.exe

flow	ioc
5	freegeoip.app

pid	process
2948	powershell.exe
2648	powershell.exe
2520	powershell.exe
2536	powershell.exe
660	ltxxor.exe
660	ltxxor.exe
660	ltxxor.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exeltxxor.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2764	fix.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2764	fix.exe
Token: SeDebugPrivilege	660	ltxxor.exe
Token: SeShutdownPrivilege	2644	shutdown.exe
Token: SeRemoteShutdownPrivilege	2644	shutdown.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fix.exeltxxor.exe

description	pid	process	target process
PID 2764 wrote to memory of 2948	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2948	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2948	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2648	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2648	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2648	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2520	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2520	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2520	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2536	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2536	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 2536	2764	fix.exe	powershell.exe
PID 2764 wrote to memory of 660	2764	fix.exe	ltxxor.exe
PID 2764 wrote to memory of 660	2764	fix.exe	ltxxor.exe
PID 2764 wrote to memory of 660	2764	fix.exe	ltxxor.exe
PID 660 wrote to memory of 872	660	ltxxor.exe	WerFault.exe
PID 660 wrote to memory of 872	660	ltxxor.exe	WerFault.exe
PID 660 wrote to memory of 872	660	ltxxor.exe	WerFault.exe
PID 2764 wrote to memory of 2644	2764	fix.exe	shutdown.exe
PID 2764 wrote to memory of 2644	2764	fix.exe	shutdown.exe
PID 2764 wrote to memory of 2644	2764	fix.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\ltxxor.exe
  "C:\Users\Admin\AppData\Local\Temp\ltxxor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 660 -s 1116
    3⤵
    PID:872
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ltxxor.exe

Filesize
303KB

MD5
89069c3d83c29f44929e8f73e5672643

SHA1
8d2808c427dc3a039de3ab0902c7454d46d2a4a4

SHA256
69c4efe455f5c826e1c9df05518546a282efd01513c5ac811a9399f74e494216

SHA512
c81dd0189efc4e92813f4e9f224c59a246e8bec8b19185cc0a43da909a5acead5378b6b126bece793cd3d17fc25cf2f8a29d2a74169557317cf57252716beb08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99534f87403ab744a3547cc264cd456f

SHA1
da143d570f2b5262e5b6e7d00ffe8cda7ebb62de

SHA256
2874935777214d6774a81bd2b2addd0b204d3e8cce6c816603e785a407ef1405

SHA512
0539c4a261beb09956a5cf9e8e538322bd0179dc6c4272caeddbfe81dc060e5bcaff4223fd8876da2e99fbab5658c969b66e9e5fbce21cfb43fe25beecaefef6

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/660-37-0x00000000001F0000-0x0000000000242000-memory.dmp

Filesize
328KB

Download
memory/2648-14-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2648-15-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2764-28-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2764-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2764-29-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2764-30-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2764-31-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2764-1-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2948-8-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2948-7-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2948-6-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads