Analysis Overview
SHA256
2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33
Threat Level: Known bad
The file 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe was found to be: Known bad.
Malicious Activity Summary
44Caliber
44Caliber family
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 23:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 23:57
Reported
2024-11-21 00:00
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
44Caliber
44Caliber family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4860-0-0x00007FFC0F873000-0x00007FFC0F875000-memory.dmp
memory/4860-1-0x0000000000AD0000-0x0000000000B6E000-memory.dmp
memory/4860-2-0x000000001B920000-0x000000001BA0A000-memory.dmp
memory/4860-3-0x00000000012F0000-0x00000000012F6000-memory.dmp
memory/4860-34-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp
C:\Users\Admin\AppData\Roaming\44\Process.txt
| MD5 | 7af0fcb2bc6365a97066fa771faf0710 |
| SHA1 | a0f0b5751ecb3c820a2d49685a38a4da26da81f7 |
| SHA256 | 530b3cfe11feef4e019825c97a2260cbd39df4257a57f0d449ca898f49562e1c |
| SHA512 | da81d7af301497fb2d002269a09b6af818e97efcfa636d9b5f48f7c870b66a53186fb78aead5f9c93dbd9e89de1955ed07c9cb0c927b40175be35a37af10c70b |
memory/4860-122-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 23:57
Reported
2024-11-21 00:00
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
44Caliber
44Caliber family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
Files
memory/1692-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp
memory/1692-1-0x00000000012F0000-0x000000000138E000-memory.dmp
memory/1692-2-0x000000001ADF0000-0x000000001AEDA000-memory.dmp
memory/1692-3-0x00000000003A0000-0x00000000003A6000-memory.dmp
memory/1692-4-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 29573c990fc92333f6449eb23563d8d1 |
| SHA1 | 3f97c7b46f23cc73be779cd81774f7dd57bc27f3 |
| SHA256 | 6fcddb4989fbaf0df90de2b2d47b03fb23a2c92f1f9d73fbe38f4eb63934b042 |
| SHA512 | d8b180487cb6b3186f801eb6a9beea521b93ef23b44871656b3d0b7dd9856c1a02adfb4e1b9f2f7ba760af1c485ec3cc1e0ea3e12d7f53353ac17119e21026ec |
memory/1692-53-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp