Analysis
-
max time kernel
1199s -
max time network
1213s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 09:09
Static task
static1
Behavioral task
behavioral1
Sample
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
-
Size
838KB
-
MD5
5cd80a6332974451ccdaa37c11993cc9
-
SHA1
d5577ac65719ece5d37277a3d2451ab2855979ee
-
SHA256
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade
-
SHA512
1f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886
Malware Config
Extracted
gozi_ifsb
-
build
216881
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Executes dropped EXE 2 IoCs
Processes:
Bitshost.exeBitshost.exepid process 1956 Bitshost.exe 1076 Bitshost.exe -
Loads dropped DLL 3 IoCs
Processes:
helper.exepid process 2764 helper.exe 2764 helper.exe 2764 helper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abovsapi = "C:\\Users\\Admin\\AppData\\Roaming\\capasnap\\Bitshost.exe" b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exeBitshost.exeBitshost.exesvchost.exeExplorer.EXEdescription pid process target process PID 2092 set thread context of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 1956 set thread context of 1076 1956 Bitshost.exe Bitshost.exe PID 1076 set thread context of 1680 1076 Bitshost.exe svchost.exe PID 1680 set thread context of 3068 1680 svchost.exe Explorer.EXE PID 3068 set thread context of 3464 3068 Explorer.EXE RuntimeBroker.exe PID 3068 set thread context of 1392 3068 Explorer.EXE WinMail.exe PID 3068 set thread context of 2748 3068 Explorer.EXE firefox.exe -
Drops file in Windows directory 4 IoCs
Processes:
SystemSettings.exeExplorer.EXEdescription ioc process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri Explorer.EXE File created C:\Windows\rescache\_merged\3060194815\335381474.pri SystemSettings.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Bitshost.exeSystemSettings.exeb5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 Bitshost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName Bitshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 6 IoCs
Processes:
Explorer.EXEfirefox.exeSystemSettings.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings SystemSettings.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Bitshost.exeExplorer.EXEpid process 1076 Bitshost.exe 1076 Bitshost.exe 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3068 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Bitshost.exesvchost.exeExplorer.EXEpid process 1076 Bitshost.exe 1680 svchost.exe 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Explorer.EXEhelper.exeSystemSettings.exefirefox.exedescription pid process Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeDebugPrivilege 2764 helper.exe Token: SeDebugPrivilege 2764 helper.exe Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeTakeOwnershipPrivilege 3068 Explorer.EXE Token: SeRestorePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3076 SystemSettings.exe Token: SeCreatePagefilePrivilege 3076 SystemSettings.exe Token: SeShutdownPrivilege 3076 SystemSettings.exe Token: SeCreatePagefilePrivilege 3076 SystemSettings.exe Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeDebugPrivilege 972 firefox.exe Token: SeDebugPrivilege 972 firefox.exe Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
firefox.exeExplorer.EXEpid process 972 firefox.exe 972 firefox.exe 972 firefox.exe 972 firefox.exe 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 972 firefox.exe 972 firefox.exe 972 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Explorer.EXEfirefox.exeSystemSettings.exepid process 3068 Explorer.EXE 972 firefox.exe 3068 Explorer.EXE 3076 SystemSettings.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exeb5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.execmd.execmd.exeBitshost.exeBitshost.exesvchost.exeExplorer.EXEfirefox.exefirefox.exedescription pid process target process PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 2092 wrote to memory of 3988 2092 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe PID 3988 wrote to memory of 436 3988 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe cmd.exe PID 3988 wrote to memory of 436 3988 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe cmd.exe PID 3988 wrote to memory of 436 3988 b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe cmd.exe PID 436 wrote to memory of 3584 436 cmd.exe cmd.exe PID 436 wrote to memory of 3584 436 cmd.exe cmd.exe PID 436 wrote to memory of 3584 436 cmd.exe cmd.exe PID 3584 wrote to memory of 1956 3584 cmd.exe Bitshost.exe PID 3584 wrote to memory of 1956 3584 cmd.exe Bitshost.exe PID 3584 wrote to memory of 1956 3584 cmd.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1956 wrote to memory of 1076 1956 Bitshost.exe Bitshost.exe PID 1076 wrote to memory of 1680 1076 Bitshost.exe svchost.exe PID 1076 wrote to memory of 1680 1076 Bitshost.exe svchost.exe PID 1076 wrote to memory of 1680 1076 Bitshost.exe svchost.exe PID 1076 wrote to memory of 1680 1076 Bitshost.exe svchost.exe PID 1076 wrote to memory of 1680 1076 Bitshost.exe svchost.exe PID 1680 wrote to memory of 3068 1680 svchost.exe Explorer.EXE PID 1680 wrote to memory of 3068 1680 svchost.exe Explorer.EXE PID 1680 wrote to memory of 3068 1680 svchost.exe Explorer.EXE PID 3068 wrote to memory of 3464 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 3464 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 3464 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 1392 3068 Explorer.EXE WinMail.exe PID 3068 wrote to memory of 1392 3068 Explorer.EXE WinMail.exe PID 3068 wrote to memory of 1392 3068 Explorer.EXE WinMail.exe PID 3068 wrote to memory of 1392 3068 Explorer.EXE WinMail.exe PID 3068 wrote to memory of 1392 3068 Explorer.EXE WinMail.exe PID 3068 wrote to memory of 2748 3068 Explorer.EXE firefox.exe PID 3068 wrote to memory of 2748 3068 Explorer.EXE firefox.exe PID 3068 wrote to memory of 2748 3068 Explorer.EXE firefox.exe PID 3068 wrote to memory of 2748 3068 Explorer.EXE firefox.exe PID 3068 wrote to memory of 2748 3068 Explorer.EXE firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 2748 wrote to memory of 972 2748 firefox.exe firefox.exe PID 972 wrote to memory of 1540 972 firefox.exe firefox.exe PID 972 wrote to memory of 1540 972 firefox.exe firefox.exe PID 972 wrote to memory of 2500 972 firefox.exe firefox.exe PID 972 wrote to memory of 2500 972 firefox.exe firefox.exe PID 972 wrote to memory of 2500 972 firefox.exe firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"3⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8AE2\4571.bat" "C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.0.1008612434\77244418" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 1624 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.3.1288479787\1895270452" -childID 1 -isForBrowser -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 156 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 2296 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.13.1016855148\1699379115" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 7013 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 3460 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.20.835936176\1289047929" -childID 3 -isForBrowser -prefsHandle 2528 -prefMapHandle 2828 -prefsLen 7941 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 2200 tab4⤵
-
C:\Program Files\Mozilla Firefox\uninstall\helper.exe"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.27.1365362435\1042505349" -childID 4 -isForBrowser -prefsHandle 8244 -prefMapHandle 8536 -prefsLen 8779 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 8324 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.34.693308029\1540695422" -childID 5 -isForBrowser -prefsHandle 8020 -prefMapHandle 3808 -prefsLen 8980 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 3660 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.41.1508768164\612646905" -childID 6 -isForBrowser -prefsHandle 7340 -prefMapHandle 7436 -prefsLen 8980 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 7328 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.48.2063701560\427191626" -childID 7 -isForBrowser -prefsHandle 8564 -prefMapHandle 8204 -prefsLen 8989 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 8572 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.55.348598278\1987128259" -childID 8 -isForBrowser -prefsHandle 7828 -prefMapHandle 7844 -prefsLen 10695 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 7468 tab4⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8AE2\4571.batMD5
c9432239e47c6ee2bdb136a477057991
SHA1216f5198800c153d260fca1846b17ddc3e16e5f7
SHA256d40060aa9353178fca8dcea88f5aaef449c3257b8c24f835befe4a2bd245d5da
SHA51275db3b8375169dafc1c21ed6a4318def99c371a8c314e18c5642aa6500e052071ad1695a0ac17fdc4970bbb5276620ce7887bc205998ef4b4b355c803b665d47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msMD5
15279fafae1fc2be8e95ab3e966482fa
SHA1a77c7f881df0e6eedc0dc38cdaaa3c0ed7b53c5f
SHA2568868906355ed4f94d18773601d393917247811a77ccde1a7803c9d5e04fc7804
SHA5129a01848a3adb07284616b68966ac77228362549515821b17c1586266422d6c193f1a743615abd1815cb7c8338c0c3c5c2d1d76b9a7b840dda2d293d930b8b75f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msMD5
9dd535a2df23bbeeb6f652d84a83dadc
SHA1c433e8a1605e450691dda48036d97960926993d2
SHA2560b224dce957bbb6ceab53f71ce5c8643bac4ebadd83d7820e039bfdc959c291d
SHA5126d5bebaf2b782778942befff30bd01c66329b63f109cfe468ebb2d08902024e5d1d184dc7e28b9b5ac0936c9dc8a554b617e24a8a3678bc2e7dde2fc3f2a1388
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msMD5
e7a273c124242384d1a78d025c893810
SHA1559199b038bc9f0b5e386c284c50e424fbfd91a9
SHA25644e0e9effb7a253b3d64e04e34e61e3a2dca24ed395da5e76340d3ffff130ae4
SHA512d988e9b9966bd3647d2b04f44be117e79be34b7d586d9522a0f6833c0442aab4f671a570b9a0d00ab3c60ac0ee2ef8b65f14a62b96e39ad9363ac0d5c766bc75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msMD5
00d60db64a7220a2aef3eb32f7770e32
SHA104666c42975b8ecfb9a0da5b9079571810c405b6
SHA256aa47715282a39792979bfa752effd8628883190553622bf31f2d60b603762d50
SHA512b5320ccd12c485bb96e9fb5c0bb42f5662f2da474ba3dcee7a7fa2dc22933743d7a16902642eaddfe84bd0a456d0d15cdc6b59a492625ff7e75ba973de5f0b50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msMD5
9dd535a2df23bbeeb6f652d84a83dadc
SHA1c433e8a1605e450691dda48036d97960926993d2
SHA2560b224dce957bbb6ceab53f71ce5c8643bac4ebadd83d7820e039bfdc959c291d
SHA5126d5bebaf2b782778942befff30bd01c66329b63f109cfe468ebb2d08902024e5d1d184dc7e28b9b5ac0936c9dc8a554b617e24a8a3678bc2e7dde2fc3f2a1388
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uc9n7vlb.default-release\prefs.jsMD5
0e5d325190ecad7aa64f94878b297e62
SHA1f3857e0ed9c61e5aefe0f499f1cbc14d7ff56b9a
SHA2565ec810dd4a12e46361cf51d89f54f118bcaca4e6fa934adda9266de96048500a
SHA5128f0c5c0f29bf2ac2abf45173d516bdd86318efab6e2000b1c963b95866f21be6343194c1acce51b208bfa4ec9c6628d90b0467609c7f38b73a6d98d5a1b91532
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exeMD5
5cd80a6332974451ccdaa37c11993cc9
SHA1d5577ac65719ece5d37277a3d2451ab2855979ee
SHA256b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade
SHA5121f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exeMD5
5cd80a6332974451ccdaa37c11993cc9
SHA1d5577ac65719ece5d37277a3d2451ab2855979ee
SHA256b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade
SHA5121f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exeMD5
5cd80a6332974451ccdaa37c11993cc9
SHA1d5577ac65719ece5d37277a3d2451ab2855979ee
SHA256b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade
SHA5121f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886
-
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\CityHash.dllMD5
737379945745bb94f8a0dadcc18cad8d
SHA16a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22
-
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\CityHash.dllMD5
737379945745bb94f8a0dadcc18cad8d
SHA16a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22
-
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\System.dllMD5
17ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
memory/436-118-0x0000000000000000-mapping.dmp
-
memory/1076-125-0x00000000004010E7-mapping.dmp
-
memory/1392-143-0x000001CDD5D70000-0x000001CDD5D71000-memory.dmpFilesize
4KB
-
memory/1392-142-0x000001CDD5DA0000-0x000001CDD5DA2000-memory.dmpFilesize
8KB
-
memory/1392-144-0x000001CDD7840000-0x000001CDD7942000-memory.dmpFilesize
1.0MB
-
memory/1392-140-0x0000000000000000-mapping.dmp
-
memory/1392-141-0x000001CDD5DA0000-0x000001CDD5DA2000-memory.dmpFilesize
8KB
-
memory/1680-128-0x0000020CA5A20000-0x0000020CA5A22000-memory.dmpFilesize
8KB
-
memory/1680-134-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1680-129-0x0000020CA5A20000-0x0000020CA5A22000-memory.dmpFilesize
8KB
-
memory/1680-127-0x0000000000000000-mapping.dmp
-
memory/1680-135-0x0000000000980000-0x0000000000A82000-memory.dmpFilesize
1.0MB
-
memory/1956-121-0x0000000000000000-mapping.dmp
-
memory/2764-160-0x0000000000000000-mapping.dmp
-
memory/2764-166-0x0000000000630000-0x000000000063F000-memory.dmpFilesize
60KB
-
memory/3068-136-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/3068-145-0x0000000000DF0000-0x0000000000DF2000-memory.dmpFilesize
8KB
-
memory/3068-137-0x0000000000CE0000-0x0000000000DE2000-memory.dmpFilesize
1.0MB
-
memory/3068-130-0x0000000000DF0000-0x0000000000DF2000-memory.dmpFilesize
8KB
-
memory/3068-131-0x0000000000DF0000-0x0000000000DF2000-memory.dmpFilesize
8KB
-
memory/3464-139-0x0000027506190000-0x0000027506292000-memory.dmpFilesize
1.0MB
-
memory/3464-138-0x0000027503FA0000-0x0000027503FA1000-memory.dmpFilesize
4KB
-
memory/3464-132-0x0000027503FD0000-0x0000027503FD2000-memory.dmpFilesize
8KB
-
memory/3464-133-0x0000027503FD0000-0x0000027503FD2000-memory.dmpFilesize
8KB
-
memory/3584-120-0x0000000000000000-mapping.dmp
-
memory/3988-116-0x00000000004010E7-mapping.dmp
-
memory/3988-117-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/3988-115-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB