Analysis

  • max time kernel
    1563s
  • max time network
    1568s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 06:41

General

  • Target

    Loader-Nursultan-Alpha-Crack-1.16.5.exe

  • Size

    303KB

  • MD5

    bce82a7d5c999458d5203188f0e0e8a1

  • SHA1

    09dc59aa71789fc65c4498b80e3ff3d36fce9dfc

  • SHA256

    0e01cc82039241dbd9a4c6f1f52939d32a5695352b3de5c3e93cc5a6042f88f7

  • SHA512

    860bcb01c8d892649bf8a15dd7244cf1f87ca951ebefe7927269325daed82737670c8c4ba77db435d60fa34b5a9bba49145c9500e008e6fdf520002da9a809d1

  • SSDEEP

    6144:ddFT6MDdbICydeBvRaifWp93duo6rmA1D0xUW:ddzJaifWz3XQ1DdW

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1261126255034634252/6og2rIiqe6SUACRdn_f3T-i6qHZYEDXPnwESG5TW3Akw-m2wqAcNQNDwZl1UfusAgpnD

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader-Nursultan-Alpha-Crack-1.16.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader-Nursultan-Alpha-Crack-1.16.5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2388 -s 1036
      2⤵
        PID:2000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2388-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

      Filesize

      4KB

    • memory/2388-1-0x0000000000CB0000-0x0000000000D02000-memory.dmp

      Filesize

      328KB

    • memory/2388-19-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

    • memory/2388-20-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

      Filesize

      4KB

    • memory/2388-21-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB