30863f7a149c41c3edb9537a1e93321faab3c68fed49cccbaeddb099388b14ac

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Caprine.exe
Size

168.2MB
MD5

d8cb17b77335bdcad6d90f31524a96e5
SHA1

3dd47209e96fea6ef18d6ae18ca0e58c3819e410
SHA256

77a9a1d1160671f19be29f2965bf50ad987d9e6c660f5231665ee31aef4ada02
SHA512

30aaf3791ea08f55705c867505c1e46d1267a18d8000c45063416f409e3d56ca5e3cc1583ce6efd1bedddabdf4cd1fd37d9e861d540bab533028bc894bb6d3f1
SSDEEP

1572864:hIPWtb+TnTrz8AWSnsWNUWRTMgnHogf5pmehttXQCYENi3OW8ScBy9fzg29H:KWesC9RBydzb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Caprine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Caprine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Caprine.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	icanhazip.com
17	icanhazip.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2692	Caprine.exe
2692	Caprine.exe
2692	Caprine.exe
2692	Caprine.exe
5644	Caprine.exe
5644	Caprine.exe
5644	Caprine.exe
5644	Caprine.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe
Token: SeShutdownPrivilege	432	Caprine.exe
Token: SeCreatePagefilePrivilege	432	Caprine.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe
432	Caprine.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 1060	432	Caprine.exe	86
PID 432 wrote to memory of 4800	432	Caprine.exe	87
PID 432 wrote to memory of 4800	432	Caprine.exe	87
PID 432 wrote to memory of 2616	432	Caprine.exe	88
PID 432 wrote to memory of 2616	432	Caprine.exe	88
PID 432 wrote to memory of 2692	432	Caprine.exe	90
PID 432 wrote to memory of 2692	432	Caprine.exe	90
PID 432 wrote to memory of 5644	432	Caprine.exe	97
PID 432 wrote to memory of 5644	432	Caprine.exe	97

C:\Users\Admin\AppData\Local\Temp\Caprine.exe
"C:\Users\Admin\AppData\Local\Temp\Caprine.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\Caprine.exe
  "C:\Users\Admin\AppData\Local\Temp\Caprine.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Caprine" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1852 --field-trial-handle=1856,i,7083637866442888528,1479263037124123720,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\Caprine.exe
  "C:\Users\Admin\AppData\Local\Temp\Caprine.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Caprine" --mojo-platform-channel-handle=2180 --field-trial-handle=1856,i,7083637866442888528,1479263037124123720,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\Caprine.exe
  "C:\Users\Admin\AppData\Local\Temp\Caprine.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Caprine" --app-user-model-id=com.sindresorhus.caprine --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2556 --field-trial-handle=1856,i,7083637866442888528,1479263037124123720,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\Caprine.exe
  "C:\Users\Admin\AppData\Local\Temp\Caprine.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Caprine" --app-user-model-id=com.sindresorhus.caprine --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3368 --field-trial-handle=1856,i,7083637866442888528,1479263037124123720,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\Caprine.exe
  "C:\Users\Admin\AppData\Local\Temp\Caprine.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Caprine" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3316 --field-trial-handle=1856,i,7083637866442888528,1479263037124123720,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Caprine\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d705a6f9b4f5d0ffeb1b410c1caab9d5

SHA1
f36dab5d92d27e9b08954a04bddee92cfaf4667d

SHA256
59d835399508abb5cb5628eaa494d5852a41d8f2bdc8abaca8679289044b31f2

SHA512
ddd7cef333d86bf92a18cef6a0445b136ac846da3952300b87f732cdea5b2a2874f04f2dafec3d8bee4356e205c8f7856229a39657441ab988b22a1121a5d918

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
afaabe5079db1d1a38681f79550e82d0

SHA1
5f4ff63c11506018b5288ba875b0f553031db548

SHA256
d92dd13ad4160931a3a0a6fc5e2bda1df724edf51f7ab7a9cd78a226c405bfe2

SHA512
575df4fbcecf3bcf8e02c768fac7fa919839db935fa9e9dcb35eabc281991322fb7a2731edd2275a3cff4a34392a3da3ff7261d341393379039b9c0a498b5a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Network\Network Persistent State

Filesize
970B

MD5
94907745caad6f5d31fa0beb9be8fafe

SHA1
fbddea7eb44a077fb739fa71b1e7531a1c91953a

SHA256
9324b7939794309745108842c6055d942ec5175f1f954eb1bbd03504ce1dea0a

SHA512
34eaf50843416211ed4e6a49c286e7aef63ef4cbd0158fe9c6e6872fafb9eaa9525b2acb9fd96989b40fca8a88a657ad9fa0274d6eb9a4e9a652f7223af47829

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Network\Network Persistent State~RFe58c30d.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Network\TransportSecurity

Filesize
517B

MD5
599b77bd89ae444481d6559058f00ebb

SHA1
2025e1abdc02c268d681dc75ee5968c87502539c

SHA256
9b86a90b1e3896a85abd82b2e30a9b8c79f5a2e673f01c3ccb012d5cb6a912f0

SHA512
30595300d0eaf8a4df98479fc1d7a2588adf5343275ebf9cb3d2aecd9af29a78519e3f3c9e98d77e2bbb435f6a368729d2588f9cbc3e3851671788db5de85d76

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Network\TransportSecurity~RFe5801ff.TMP

Filesize
517B

MD5
330fc4e95b06e0fead5c062430af11f3

SHA1
15a057897e3fc73d35863a19b16fb464f6a17dcd

SHA256
c1247a1571284aed1b39143900572c963177d6c1b841d36e0ff9f97845bb0300

SHA512
c5f76564b4c667c911ee24a13b422775f47795ee24436d9a0610b7b2434a88418a7cf659ef778d990736b3f4227913f3e3c70e1fec4847e7370b443a669fed7c

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Preferences~RFe57d793.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Caprine\config.json

Filesize
951B

MD5
e307e3fb62aa70a0f2b1ee0da2ea42f7

SHA1
18f1590fe6a521335080b7b327dba8fefe7d4448

SHA256
ed2caee78db8a1e5d0b4180ec55a80c1343896a2c032b57ed64cc56f4dbe583f

SHA512
a0d1f9de4df779d05fc165fbc303e4f3411d6e287acaf2ccf18b97f1e75aa56d1a1d6b6e1b03c87e16612a164453213b46fe10adbe559a80798655a99a5466b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/5644-726-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-724-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-725-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-736-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-735-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-734-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-733-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-732-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-731-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download
memory/5644-730-0x0000014E3C1D0000-0x0000014E3C1D1000-memory.dmp

Filesize
4KB

Download