Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe
Resource
win7-20240903-en
General
-
Target
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe
-
Size
646KB
-
MD5
2eddb25910e24b0aec14096ec42cd9c8
-
SHA1
8f7a1c205e3b9447d3a433ff5712e0fdd95b7b26
-
SHA256
4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b
-
SHA512
986c09949f1c1dad7a57ef95e02f47f58e954ff42d1728fae4ee054fe70d9a45504f78654304307b8c0e1c9e98a97302bd6c2f7b581ed11aa40f9d4e81bdc09a
-
SSDEEP
12288:pxb63VILe4Ni8zGQa13Rsatd36JBH2YQeQd6m24AWtuzJNvAMNyaS/h:pxe3VIS4N9zGQaJRsUYznXjSiCiy
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1120478623254708224/cU4HxqyVDvr-lsj-hl3z5Ir-g2JNSHG6NQxON392Hdg4s-byv9nMxsyir7Kylc5QEWVh
Signatures
-
44Caliber family
-
Executes dropped EXE 2 IoCs
pid Process 2692 Windows (2).exe 2576 Windows.exe -
Loads dropped DLL 1 IoCs
pid Process 2300 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Windows.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2576 Windows.exe 2576 Windows.exe 2576 Windows.exe 2576 Windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 Windows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2692 2300 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2300 wrote to memory of 2692 2300 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2300 wrote to memory of 2692 2300 4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe 30 PID 2692 wrote to memory of 2576 2692 Windows (2).exe 31 PID 2692 wrote to memory of 2576 2692 Windows (2).exe 31 PID 2692 wrote to memory of 2576 2692 Windows (2).exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe"C:\Users\Admin\AppData\Local\Temp\4b1765e35f418e7a5698fd5709c11b98c6c4aff2637db48a7ad7b59a14b67b8b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\Windows (2).exe"C:\Users\Admin\AppData\Local\Temp\Windows (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD533846eb380a27f84479986af7f1935bc
SHA1489ffd5dc723c612ea1c88b351532afb4f17c680
SHA25675d9ef67ac15190f476c0277053e24f77cbf2cbef00dfa0e8c9aea86f3fce728
SHA512c49ede38e1a667ffb0974ff88a6b46da8f9eb5393cf2aa6b082f8ce92e31ea2aa97c33758273764152e761f78902537a4078c73553627b04b82b449f2957362e
-
Filesize
274KB
MD54fc218b2cfdb1ad177f035002cdcaddd
SHA1e0ccc3dcac93a0c9e14799217bc5dff557d5079b
SHA256c1996926fd51f8418e9095057b145e173b2b182c33c12aebd36500446ef0c55d
SHA512d114ec692399ee7b9b5cd8b7e88e6e6c0a70569d910a2ba7ef8ec3c56aa23267a60d991dca33a66ece270ae882c65735c1a144a65bebd0d7c618262f4569e5ef
-
Filesize
540KB
MD5ff406dfb1d83072ed678d823b5bc263c
SHA125f025bfc7297253817997db50b0970d863095e3
SHA256dd1612a4bcd13f52a832f4759cfc0b6905b617445dbf36cde4495db5c647d178
SHA512e9217f9c8b3167309b7f9dcc62f97140ee6791b7850dd1b27874df1d021c7cb7afe2bee7e5d41d33731e6dde7bc004cee092e1fa007d76af910806fa678804d2