gozi_ifsb | b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade

Analysis

max time kernel
1199s
max time network
1213s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
Size

838KB
MD5

5cd80a6332974451ccdaa37c11993cc9
SHA1

d5577ac65719ece5d37277a3d2451ab2855979ee
SHA256

b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade
SHA512

1f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886

Score

10^/10

gozi_ifsb banker persistence suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
216881

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata
Executes dropped EXE 2 IoCs

Processes:

Bitshost.exeBitshost.exe

pid process

1956 Bitshost.exe
1076 Bitshost.exe
Loads dropped DLL 3 IoCs

Processes:

helper.exe

pid process

2764 helper.exe
2764 helper.exe
2764 helper.exe

pid	process
1956	Bitshost.exe
1076	Bitshost.exe

pid	process
2764	helper.exe
2764	helper.exe
2764	helper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abovsapi = "C:\\Users\\Admin\\AppData\\Roaming\\capasnap\\Bitshost.exe"	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exeBitshost.exeBitshost.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 2092 set thread context of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 1956 set thread context of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1076 set thread context of 1680	1076	Bitshost.exe	svchost.exe
PID 1680 set thread context of 3068	1680	svchost.exe	Explorer.EXE
PID 3068 set thread context of 3464	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 set thread context of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 set thread context of 2748	3068	Explorer.EXE	firefox.exe

Drops file in Windows directory 4 IoCs

Processes:

SystemSettings.exeExplorer.EXE

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	Explorer.EXE
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Bitshost.exeSystemSettings.exeb5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	Bitshost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	Bitshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 6 IoCs

Processes:

Explorer.EXEfirefox.exeSystemSettings.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	SystemSettings.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Bitshost.exeExplorer.EXE

pid process

1076 Bitshost.exe
1076 Bitshost.exe
3068 Explorer.EXE
3068 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Bitshost.exesvchost.exeExplorer.EXE

pid process

1076 Bitshost.exe
1680 svchost.exe
3068 Explorer.EXE
3068 Explorer.EXE
3068 Explorer.EXE

pid	process
1076	Bitshost.exe
1076	Bitshost.exe
3068	Explorer.EXE
3068	Explorer.EXE

pid	process
3068	Explorer.EXE

pid	process
1076	Bitshost.exe
1680	svchost.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEhelper.exeSystemSettings.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeDebugPrivilege	2764	helper.exe
Token: SeDebugPrivilege	2764	helper.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeTakeOwnershipPrivilege	3068	Explorer.EXE
Token: SeRestorePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3076	SystemSettings.exe
Token: SeCreatePagefilePrivilege	3076	SystemSettings.exe
Token: SeShutdownPrivilege	3076	SystemSettings.exe
Token: SeCreatePagefilePrivilege	3076	SystemSettings.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeDebugPrivilege	972	firefox.exe
Token: SeDebugPrivilege	972	firefox.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exeExplorer.EXE

pid process

972 firefox.exe
972 firefox.exe
972 firefox.exe
972 firefox.exe
3068 Explorer.EXE
3068 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

972 firefox.exe
972 firefox.exe
972 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Explorer.EXEfirefox.exeSystemSettings.exe

pid process

3068 Explorer.EXE
972 firefox.exe
3068 Explorer.EXE
3076 SystemSettings.exe

pid	process
972	firefox.exe
972	firefox.exe
972	firefox.exe
972	firefox.exe
3068	Explorer.EXE
3068	Explorer.EXE

pid	process
972	firefox.exe
972	firefox.exe
972	firefox.exe

pid	process
3068	Explorer.EXE
972	firefox.exe
3068	Explorer.EXE
3076	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exeb5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.execmd.execmd.exeBitshost.exeBitshost.exesvchost.exeExplorer.EXEfirefox.exefirefox.exe

description	pid	process	target process
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 2092 wrote to memory of 3988	2092	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
PID 3988 wrote to memory of 436	3988	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	cmd.exe
PID 3988 wrote to memory of 436	3988	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	cmd.exe
PID 3988 wrote to memory of 436	3988	b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe	cmd.exe
PID 436 wrote to memory of 3584	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 3584	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 3584	436	cmd.exe	cmd.exe
PID 3584 wrote to memory of 1956	3584	cmd.exe	Bitshost.exe
PID 3584 wrote to memory of 1956	3584	cmd.exe	Bitshost.exe
PID 3584 wrote to memory of 1956	3584	cmd.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1956 wrote to memory of 1076	1956	Bitshost.exe	Bitshost.exe
PID 1076 wrote to memory of 1680	1076	Bitshost.exe	svchost.exe
PID 1076 wrote to memory of 1680	1076	Bitshost.exe	svchost.exe
PID 1076 wrote to memory of 1680	1076	Bitshost.exe	svchost.exe
PID 1076 wrote to memory of 1680	1076	Bitshost.exe	svchost.exe
PID 1076 wrote to memory of 1680	1076	Bitshost.exe	svchost.exe
PID 1680 wrote to memory of 3068	1680	svchost.exe	Explorer.EXE
PID 1680 wrote to memory of 3068	1680	svchost.exe	Explorer.EXE
PID 1680 wrote to memory of 3068	1680	svchost.exe	Explorer.EXE
PID 3068 wrote to memory of 3464	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 3464	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 3464	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 1392	3068	Explorer.EXE	WinMail.exe
PID 3068 wrote to memory of 2748	3068	Explorer.EXE	firefox.exe
PID 3068 wrote to memory of 2748	3068	Explorer.EXE	firefox.exe
PID 3068 wrote to memory of 2748	3068	Explorer.EXE	firefox.exe
PID 3068 wrote to memory of 2748	3068	Explorer.EXE	firefox.exe
PID 3068 wrote to memory of 2748	3068	Explorer.EXE	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 972	2748	firefox.exe	firefox.exe
PID 972 wrote to memory of 1540	972	firefox.exe	firefox.exe
PID 972 wrote to memory of 1540	972	firefox.exe	firefox.exe
PID 972 wrote to memory of 2500	972	firefox.exe	firefox.exe
PID 972 wrote to memory of 2500	972	firefox.exe	firefox.exe
PID 972 wrote to memory of 2500	972	firefox.exe	firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade.bin.sample.exe"
3⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8AE2\4571.bat" "C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE""
5⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\B5B222~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.0.1008612434\77244418" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 1624 gpu
4⤵
PID:1540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.3.1288479787\1895270452" -childID 1 -isForBrowser -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 156 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 2296 tab
4⤵
PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.13.1016855148\1699379115" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 7013 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 3460 tab
4⤵
PID:1648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.20.835936176\1289047929" -childID 3 -isForBrowser -prefsHandle 2528 -prefMapHandle 2828 -prefsLen 7941 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 2200 tab
4⤵
PID:1560

C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.27.1365362435\1042505349" -childID 4 -isForBrowser -prefsHandle 8244 -prefMapHandle 8536 -prefsLen 8779 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 8324 tab
4⤵
PID:4404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.34.693308029\1540695422" -childID 5 -isForBrowser -prefsHandle 8020 -prefMapHandle 3808 -prefsLen 8980 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 3660 tab
4⤵
PID:4668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.41.1508768164\612646905" -childID 6 -isForBrowser -prefsHandle 7340 -prefMapHandle 7436 -prefsLen 8980 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 7328 tab
4⤵
PID:4840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.48.2063701560\427191626" -childID 7 -isForBrowser -prefsHandle 8564 -prefMapHandle 8204 -prefsLen 8989 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 8572 tab
4⤵
PID:4992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="972.55.348598278\1987128259" -childID 8 -isForBrowser -prefsHandle 7828 -prefMapHandle 7844 -prefsLen 10695 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 972 "\\.\pipe\gecko-crash-server-pipe.972" 7468 tab
4⤵
PID:3588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8AE2\4571.bat
MD5
c9432239e47c6ee2bdb136a477057991

SHA1
216f5198800c153d260fca1846b17ddc3e16e5f7

SHA256
d40060aa9353178fca8dcea88f5aaef449c3257b8c24f835befe4a2bd245d5da

SHA512
75db3b8375169dafc1c21ed6a4318def99c371a8c314e18c5642aa6500e052071ad1695a0ac17fdc4970bbb5276620ce7887bc205998ef4b4b355c803b665d47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
MD5
15279fafae1fc2be8e95ab3e966482fa

SHA1
a77c7f881df0e6eedc0dc38cdaaa3c0ed7b53c5f

SHA256
8868906355ed4f94d18773601d393917247811a77ccde1a7803c9d5e04fc7804

SHA512
9a01848a3adb07284616b68966ac77228362549515821b17c1586266422d6c193f1a743615abd1815cb7c8338c0c3c5c2d1d76b9a7b840dda2d293d930b8b75f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
MD5
9dd535a2df23bbeeb6f652d84a83dadc

SHA1
c433e8a1605e450691dda48036d97960926993d2

SHA256
0b224dce957bbb6ceab53f71ce5c8643bac4ebadd83d7820e039bfdc959c291d

SHA512
6d5bebaf2b782778942befff30bd01c66329b63f109cfe468ebb2d08902024e5d1d184dc7e28b9b5ac0936c9dc8a554b617e24a8a3678bc2e7dde2fc3f2a1388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
MD5
e7a273c124242384d1a78d025c893810

SHA1
559199b038bc9f0b5e386c284c50e424fbfd91a9

SHA256
44e0e9effb7a253b3d64e04e34e61e3a2dca24ed395da5e76340d3ffff130ae4

SHA512
d988e9b9966bd3647d2b04f44be117e79be34b7d586d9522a0f6833c0442aab4f671a570b9a0d00ab3c60ac0ee2ef8b65f14a62b96e39ad9363ac0d5c766bc75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
MD5
00d60db64a7220a2aef3eb32f7770e32

SHA1
04666c42975b8ecfb9a0da5b9079571810c405b6

SHA256
aa47715282a39792979bfa752effd8628883190553622bf31f2d60b603762d50

SHA512
b5320ccd12c485bb96e9fb5c0bb42f5662f2da474ba3dcee7a7fa2dc22933743d7a16902642eaddfe84bd0a456d0d15cdc6b59a492625ff7e75ba973de5f0b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
MD5
9dd535a2df23bbeeb6f652d84a83dadc

SHA1
c433e8a1605e450691dda48036d97960926993d2

SHA256
0b224dce957bbb6ceab53f71ce5c8643bac4ebadd83d7820e039bfdc959c291d

SHA512
6d5bebaf2b782778942befff30bd01c66329b63f109cfe468ebb2d08902024e5d1d184dc7e28b9b5ac0936c9dc8a554b617e24a8a3678bc2e7dde2fc3f2a1388

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uc9n7vlb.default-release\prefs.js
MD5
0e5d325190ecad7aa64f94878b297e62

SHA1
f3857e0ed9c61e5aefe0f499f1cbc14d7ff56b9a

SHA256
5ec810dd4a12e46361cf51d89f54f118bcaca4e6fa934adda9266de96048500a

SHA512
8f0c5c0f29bf2ac2abf45173d516bdd86318efab6e2000b1c963b95866f21be6343194c1acce51b208bfa4ec9c6628d90b0467609c7f38b73a6d98d5a1b91532

Download Submit
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
MD5
5cd80a6332974451ccdaa37c11993cc9

SHA1
d5577ac65719ece5d37277a3d2451ab2855979ee

SHA256
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade

SHA512
1f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886

Download Submit
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
MD5
5cd80a6332974451ccdaa37c11993cc9

SHA1
d5577ac65719ece5d37277a3d2451ab2855979ee

SHA256
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade

SHA512
1f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886

Download Submit
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe
MD5
5cd80a6332974451ccdaa37c11993cc9

SHA1
d5577ac65719ece5d37277a3d2451ab2855979ee

SHA256
b5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade

SHA512
1f29b0bbbd86b4783e0f05e69f037df7719d2ecae76839a902d74579b09f2b4ca0a1ba7e7305a42642a7a99f416a29a6617d96e72c2ee99a2f8eaff36556e886

Download Submit
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsh4452.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/436-118-0x0000000000000000-mapping.dmp

Download
memory/1076-125-0x00000000004010E7-mapping.dmp

Download
memory/1392-143-0x000001CDD5D70000-0x000001CDD5D71000-memory.dmp

Filesize
4KB

Download
memory/1392-142-0x000001CDD5DA0000-0x000001CDD5DA2000-memory.dmp

Filesize
8KB

Download
memory/1392-144-0x000001CDD7840000-0x000001CDD7942000-memory.dmp

Filesize
1.0MB

Download
memory/1392-140-0x0000000000000000-mapping.dmp

Download
memory/1392-141-0x000001CDD5DA0000-0x000001CDD5DA2000-memory.dmp

Filesize
8KB

Download
memory/1680-128-0x0000020CA5A20000-0x0000020CA5A22000-memory.dmp

Filesize
8KB

Download
memory/1680-134-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1680-129-0x0000020CA5A20000-0x0000020CA5A22000-memory.dmp

Filesize
8KB

Download
memory/1680-127-0x0000000000000000-mapping.dmp

Download
memory/1680-135-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/1956-121-0x0000000000000000-mapping.dmp

Download
memory/2764-160-0x0000000000000000-mapping.dmp

Download
memory/2764-166-0x0000000000630000-0x000000000063F000-memory.dmp

Filesize
60KB

Download
memory/3068-136-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3068-145-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/3068-137-0x0000000000CE0000-0x0000000000DE2000-memory.dmp

Filesize
1.0MB

Download
memory/3068-130-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/3068-131-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/3464-139-0x0000027506190000-0x0000027506292000-memory.dmp

Filesize
1.0MB

Download
memory/3464-138-0x0000027503FA0000-0x0000027503FA1000-memory.dmp

Filesize
4KB

Download
memory/3464-132-0x0000027503FD0000-0x0000027503FD2000-memory.dmp

Filesize
8KB

Download
memory/3464-133-0x0000027503FD0000-0x0000027503FD2000-memory.dmp

Filesize
8KB

Download
memory/3584-120-0x0000000000000000-mapping.dmp

Download
memory/3988-116-0x00000000004010E7-mapping.dmp

Download
memory/3988-117-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3988-115-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download