Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 15:17
Behavioral task
behavioral1
Sample
startme2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
startme2.exe
-
Size
303KB
-
MD5
7daba3f3dfb34fcc115e21d6ebb7f31e
-
SHA1
4a51dcb05ae0f1b2f67ade4840d3e8a39967a6ed
-
SHA256
8bc4f4545561e21cdd577b644d7a5d8f4c19e026b967d6273577d4882f85d178
-
SHA512
d7f57cc4b769685598097b8e9463471c2d0ab63753b4486b13e9c6ae6d70dc6aa41562ee5e050f9bab572e9fa1d25b360ca710ad7df4c6d06a819bbf21fb1e99
-
SSDEEP
6144:lXt3T6MDdbICydeBimcmXKhJUPw6hmA1D08nx:lXttpcmXKnUoa1DPx
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1290668556769427476/ri8OyKleH8ERz74URwMZpANFiRTeYD63D7NjwJsY5WG8j240BRZlOokdLv5NIuZDqhnK
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2332 startme2.exe 2332 startme2.exe 2332 startme2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2332 startme2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2564 2332 startme2.exe 30 PID 2332 wrote to memory of 2564 2332 startme2.exe 30 PID 2332 wrote to memory of 2564 2332 startme2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\startme2.exe"C:\Users\Admin\AppData\Local\Temp\startme2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2332 -s 11882⤵PID:2564
-