Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

07b03eeff0...e9.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    70s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/01/2025, 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe

  • Size

    1.7MB

  • MD5

    8919a3ebfb67cc3d12f475baa82ca476

  • SHA1

    0e6aa733c49dc293f2936b32600390cedb0767ae

  • SHA256

    07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9

  • SHA512

    eac4ba93e8f84413a4d5a4e590263c493011cdfa2a6b96dee2222930a22c30ef885d4651d0783b10c26b8b75cc1f61c32302671dcf9de9f1a3dd19a29c1d1593

  • SSDEEP

    24576:rcbD/3+3Nb8c6xUN8c/CNlSC3Af8XwYJs4nUAo3E5IuquLJlxpCp8zMgNFLtU5Vp:rcbz+3H6NXL3cYi4nUpmIm2BIG5VBj

Score
10/10
44caliberdiscoveryspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKjPH9PGr5fHvc41o-BfoHkgQRjS

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • 44Caliber family
    44caliber
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 38 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe
    "C:\Users\Admin\AppData\Local\Temp\07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3312
  • C:\Windows\System32\NOTEPAD.EXE
    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InstallUpdate.cmd
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1204
  • C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2852
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4820
  • C:\Windows\system32\control.exe
    "C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4988
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1588
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    8afe145407231d996cb2efed00250273

    SHA1

    cdf1fef5a3adc11073a8e7ddf47438c914daea32

    SHA256

    49a392dbcd86684338f6cf81ca6ec18b31ab608354fe9949d1bd53d6c38d29b7

    SHA512

    6d176e90ef500994b7766345d07c27bf392b1e0fb7145bfb8ac28e8e6e0c91419f9ab64d18960729416a91a5e38ffde07fd37864b7c195db16d639b6f53789c2

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    765B

    MD5

    eb8043846caf31483f3c9d2874bfe29d

    SHA1

    b903e9e075899be8dd1c10bc127f903a475fd33e

    SHA256

    b4e7f30d1c3dd31a8b97a61eaf63d8a84a25ed168f44d0980a6238ab1039a98c

    SHA512

    ee303faba59b55d9314eea30c764abebb9b9209f6dabe5f2d2d1d7226f3379c1fa04874d871079a2c2b0486eafd8f62da4af4137ecce120e655b88e67ca47327

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    28KB

    MD5

    09d642aefcb8618fa681adbbc0bf75a6

    SHA1

    85814a5700b4d78364fdb781c56f0ec23844b1a2

    SHA256

    bb379f027935fae8f0e4c1768683e20675a0526f98ac4684dafca4c9501d81c5

    SHA512

    2154eb7b0c316d9542176dd98849ff83d91c16d1fa9685268f33849ff88b0ad350834a7890a094c2a33eceb68fa49b2a82111a02ce53f715a29b7ee0caa65833

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\81bcf342-e591-4493-9dcf-307a7d14a45a.down_data
    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
    Filesize

    1.2MB

    MD5

    23d86a9388b2473d0b8c8d8c75de793c

    SHA1

    d7938fb0ddaeed76d6ead3ad9ed030934603247e

    SHA256

    9633ed8a684b052247e4850948b3e8b33c428066eb1c32179c547f477c5dfaf7

    SHA512

    7115b93efbb44ab74b157d683a61bb4e8dbf6faac46516916cb95ef310b1ccb587ff638113ffbb76530a936ee5358562132475de74710ff64e27d5add68d842d

    Download Submit

  • memory/1236-190-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-187-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-186-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-179-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-185-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-189-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-180-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-178-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-188-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-184-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-140-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-141-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-139-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-142-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-143-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-144-0x00007FFF63FE0000-0x00007FFF63FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-145-0x00007FFF63FE0000-0x00007FFF63FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-168-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-169-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-170-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-167-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3312-138-0x0000000072B20000-0x00000000732D1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3312-137-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-134-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-133-0x0000000009850000-0x00000000098B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3312-52-0x00000000098F0000-0x0000000009E96000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3312-41-0x00000000081B0000-0x0000000008242000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3312-27-0x0000000072B20000-0x00000000732D1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3312-17-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-16-0x0000000072B2E000-0x0000000072B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-14-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-13-0x0000000000A00000-0x0000000000A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-12-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download