Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1200s -
max time network
1213s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21/10/2021, 09:41
Static task
static1
General
-
Target
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe
-
Size
273KB
-
MD5
54cd7479c93e54ce8c9784b8b1a0392b
-
SHA1
c3e15e023c4ae835789b82befbe328ae137417ea
-
SHA256
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764
-
SHA512
cea67d7c1094b107a83c607196d9d4d16e0d7d6b7e5cdaa81d83e52422a9194203680d65b44c106c46a8e47dc6251fe292930e9fcc8b757b7d5242383286afbb
Malware Config
Extracted
Family
gozi_ifsb
Botnet
10003
C2
127.0.0.1
Attributes
-
build
214711
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0xf24ca29e
-
exe_type
worker
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 788 Bitshost.exe -
resource yara_rule behavioral1/files/0x000400000001abb5-121.dat upx behavioral1/files/0x000400000001abb5-122.dat upx -
Deletes itself 1 IoCs
pid Process 788 Bitshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abovsapi = "C:\\Users\\Admin\\AppData\\Roaming\\capasnap\\Bitshost.exe" 80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 788 set thread context of 4500 788 Bitshost.exe 74 PID 4500 set thread context of 2452 4500 svchost.exe 26 PID 2452 set thread context of 3592 2452 Explorer.EXE 24 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 788 Bitshost.exe 788 Bitshost.exe 2452 Explorer.EXE 2452 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2452 Explorer.EXE -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 788 Bitshost.exe 4500 svchost.exe 2452 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2452 Explorer.EXE Token: SeCreatePagefilePrivilege 2452 Explorer.EXE Token: SeShutdownPrivilege 2452 Explorer.EXE Token: SeCreatePagefilePrivilege 2452 Explorer.EXE Token: SeShutdownPrivilege 2452 Explorer.EXE Token: SeCreatePagefilePrivilege 2452 Explorer.EXE Token: SeShutdownPrivilege 2452 Explorer.EXE Token: SeCreatePagefilePrivilege 2452 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2452 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3572 wrote to memory of 4332 3572 80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe 70 PID 3572 wrote to memory of 4332 3572 80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe 70 PID 3572 wrote to memory of 4332 3572 80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe 70 PID 4332 wrote to memory of 4448 4332 cmd.exe 72 PID 4332 wrote to memory of 4448 4332 cmd.exe 72 PID 4332 wrote to memory of 4448 4332 cmd.exe 72 PID 4448 wrote to memory of 788 4448 cmd.exe 73 PID 4448 wrote to memory of 788 4448 cmd.exe 73 PID 4448 wrote to memory of 788 4448 cmd.exe 73 PID 788 wrote to memory of 4500 788 Bitshost.exe 74 PID 788 wrote to memory of 4500 788 Bitshost.exe 74 PID 788 wrote to memory of 4500 788 Bitshost.exe 74 PID 788 wrote to memory of 4500 788 Bitshost.exe 74 PID 788 wrote to memory of 4500 788 Bitshost.exe 74 PID 4500 wrote to memory of 2452 4500 svchost.exe 26 PID 4500 wrote to memory of 2452 4500 svchost.exe 26 PID 4500 wrote to memory of 2452 4500 svchost.exe 26 PID 2452 wrote to memory of 3592 2452 Explorer.EXE 24 PID 2452 wrote to memory of 3592 2452 Explorer.EXE 24 PID 2452 wrote to memory of 3592 2452 Explorer.EXE 24
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3592
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe"C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B36E\D9B7.bat" "C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4500
-
-
-
-
-