Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe
Resource
win7-20240903-en
General
-
Target
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe
-
Size
646KB
-
MD5
2eddb25910e24b0aec14096ec42cd9c8
-
SHA1
8f7a1c205e3b9447d3a433ff5712e0fdd95b7b26
-
SHA256
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b
-
SHA512
986c09949f1c1dad7a57ef95e02f47f58e954ff42d1728fae4ee054fe70d9a45504f78654304307b8c0e1c9e98a97302bd6c2f7b581ed11aa40f9d4e81bdc09a
-
SSDEEP
12288:pxb63VILe4Ni8zGQa13Rsatd36JBH2YQeQd6m24AWtuzJNvAMNyaS/h:pxe3VIS4N9zGQaJRsUYznXjSiCiy
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1120478623254708224/cU4HxqyVDvr-lsj-hl3z5Ir-g2JNSHG6NQxON392Hdg4s-byv9nMxsyir7Kylc5QEWVh
Signatures
-
44Caliber family
-
Executes dropped EXE 2 IoCs
pid Process 2564 Windows (2).exe 2604 Windows.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Windows.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2604 Windows.exe 2604 Windows.exe 2604 Windows.exe 2604 Windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2604 Windows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2564 2168 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2168 wrote to memory of 2564 2168 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2168 wrote to memory of 2564 2168 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2564 wrote to memory of 2604 2564 Windows (2).exe 31 PID 2564 wrote to memory of 2604 2564 Windows (2).exe 31 PID 2564 wrote to memory of 2604 2564 Windows (2).exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe"C:\Users\Admin\AppData\Local\Temp\4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\Windows (2).exe"C:\Users\Admin\AppData\Local\Temp\Windows (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD51288b576708a2497cb3585dd84ea8116
SHA11de0cf990e5a0ed4b11b2d99b76fbf0ef6d0ec0f
SHA2569d03d85e1a4da4c3ee99e34e32fa31e79e7b3084cceb036522b5b7e939009ae1
SHA512d8ba1f70848695510d58a3b6f97ca3b076bf50824e4d9cb9fd06305ec752a1545f5d9af82750500952cd7829293ea3f99428dc46ad993acc57461300f7ce839f
-
Filesize
274KB
MD54fc218b2cfdb1ad177f035002cdcaddd
SHA1e0ccc3dcac93a0c9e14799217bc5dff557d5079b
SHA256c1996926fd51f8418e9095057b145e173b2b182c33c12aebd36500446ef0c55d
SHA512d114ec692399ee7b9b5cd8b7e88e6e6c0a70569d910a2ba7ef8ec3c56aa23267a60d991dca33a66ece270ae882c65735c1a144a65bebd0d7c618262f4569e5ef
-
Filesize
540KB
MD5ff406dfb1d83072ed678d823b5bc263c
SHA125f025bfc7297253817997db50b0970d863095e3
SHA256dd1612a4bcd13f52a832f4759cfc0b6905b617445dbf36cde4495db5c647d178
SHA512e9217f9c8b3167309b7f9dcc62f97140ee6791b7850dd1b27874df1d021c7cb7afe2bee7e5d41d33731e6dde7bc004cee092e1fa007d76af910806fa678804d2