Analysis Overview
SHA256
2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33
Threat Level: Known bad
The file 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe was found to be: Known bad.
Malicious Activity Summary
44Caliber
44Caliber family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Unsigned PE
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 23:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 23:48
Reported
2024-11-20 23:50
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
44Caliber
44Caliber family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
Files
memory/2328-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp
memory/2328-1-0x00000000010E0000-0x000000000117E000-memory.dmp
memory/2328-2-0x000000001AE50000-0x000000001AF3A000-memory.dmp
memory/2328-3-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2328-4-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp
C:\ProgramData\44\Process.txt
| MD5 | 1357232bf43d13b6c747d89269606d4e |
| SHA1 | ca60f9f4e66ae29e5e42b9a090843164ae52a97a |
| SHA256 | fa17fdba9f99d079fa10e6de88956432911137b7cb98a8d10aa3b690664de7bd |
| SHA512 | 24982dd76cc4b4e306df046a747c28b6c0bb2f700ae70e6b669d01ca23981f63c40121e8b84ac046f575da32bc031a44a4a952554899da86ac8cdea8117f559a |
C:\ProgramData\44\Process.txt
| MD5 | 63f3b6444ac808057107c3e845b8682d |
| SHA1 | 8fad5d204c5e88195e55d90528f97c5d8daa3981 |
| SHA256 | 44280d58112b1717d28583a3d72433626b7c027d3831ce9f45e45319962b7fe3 |
| SHA512 | 3e273580c6be0487571f16c443cd53f5e0e8792d2661d01944a6968e38c5dee978309c52e940198813227ff7644eb7df4a18ae75350b5fa607dd54522b3c0dbb |
memory/2328-54-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 23:48
Reported
2024-11-20 23:50
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
44Caliber
44Caliber family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2724-0-0x00007FFDF1C13000-0x00007FFDF1C15000-memory.dmp
memory/2724-1-0x00000000003C0000-0x000000000045E000-memory.dmp
memory/2724-2-0x000000001B0A0000-0x000000001B18A000-memory.dmp
memory/2724-3-0x0000000002590000-0x0000000002596000-memory.dmp
memory/2724-20-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp
C:\ProgramData\44\Process.txt
| MD5 | 0f3e844bc73a7a287e6a9062f8daa45a |
| SHA1 | 91b664f8bd1be5ea7fee62722041c5c0ae53d8e8 |
| SHA256 | bf02fd2fe5f6f94f0ebdc1c24382060de1c37394b25851432fd1cc76e46edca5 |
| SHA512 | bbd58fd649c36b061f9a5d76ae48a7d977d65228f3a816b62c7370482b95d0e20b94bd25e143bd26f9375018693d8dfb4ee81e4f683ec120722221f7b4302440 |
C:\ProgramData\44\Process.txt
| MD5 | fc22d6fe015bd52de4a43aa81c8cba4a |
| SHA1 | 7af3a3db73313563bed56e0234d61bc3afda90d5 |
| SHA256 | af28c2530b1421edb1ffc1c7a45e0d1404d6a4cee5eff101b4e7affd3e8b2c0a |
| SHA512 | dfb53eaa9e0af66302b6b90e33b224fdca8a958dd1b103b3d284dff7ab9d2b3ff30461793ac4269f56f8c9ab6cfef149f965e5d62cdbe38769146bb96628fd37 |
memory/2724-118-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp