Analysis Overview
SHA256
6a8419d81fb645c073439e284a988ab540cd514a933ce2b6ee4b776aa50b50ac
Threat Level: Known bad
The file wifi.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Checks installed software on the system
Drops file in Windows directory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-08-04 08:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-08-04 08:41
Reported
2020-08-04 08:43
Platform
win7
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| File created | C:\Windows\Tasks\autoconv.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Checks installed software on the system
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Suspicious use of WriteProcessMemory
Osiris
Processes
C:\Users\Admin\AppData\Local\Temp\wifi.exe
"C:\Users\Admin\AppData\Local\Temp\wifi.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.136.99:443 | api.ipify.org | tcp |
| N/A | 51.15.105.214:80 | 51.15.105.214 | tcp |
| N/A | 172.105.171.141:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 93.115.241.50:80 | 93.115.241.50 | tcp |
| N/A | 158.69.102.11:443 | tcp | |
| N/A | 51.38.115.191:80 | 51.38.115.191 | tcp |
| N/A | 185.4.132.135:443 | tcp | |
| N/A | 213.239.216.222:80 | 213.239.216.222 | tcp |
| N/A | 94.155.49.47:443 | tcp | |
| N/A | 180.149.125.138:80 | 180.149.125.138 | tcp |
| N/A | 193.218.118.200:80 | 193.218.118.200 | tcp |
| N/A | 83.97.20.100:80 | 83.97.20.100 | tcp |
| N/A | 91.148.141.117:80 | 91.148.141.117 | tcp |
| N/A | 5.9.121.79:80 | 5.9.121.79 | tcp |
| N/A | 49.12.46.86:443 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsq35B.tmp\UserInfo.dll
\Users\Admin\AppData\Local\Temp\nsq35B.tmp\System.dll
\Users\Admin\AppData\Local\Temp\obscures.dll
memory/1156-3-0x00000000003D0000-0x00000000003FB000-memory.dmp
\Users\Admin\AppData\Local\Temp\cmd.exe
memory/1508-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
memory/1508-7-0x0000000000400000-0x000000000049F000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
memory/1972-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
memory/1508-12-0x0000000000380000-0x000000000039E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-08-04 08:41
Reported
2020-08-04 08:43
Platform
win10
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| File created | C:\Windows\Tasks\autoconv.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Checks installed software on the system
Osiris
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wifi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wifi.exe
"C:\Users\Admin\AppData\Local\Temp\wifi.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 171.25.193.9:443 | 171.25.193.9 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:443 | api.ipify.org | tcp |
| N/A | 91.213.233.138:80 | 91.213.233.138 | tcp |
| N/A | 185.163.45.253:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 185.100.86.154:80 | 185.100.86.154 | tcp |
| N/A | 54.36.108.162:80 | 54.36.108.162 | tcp |
| N/A | 180.149.125.138:80 | 180.149.125.138 | tcp |
| N/A | 142.93.190.102:443 | 142.93.190.102 | tcp |
| N/A | 179.43.134.188:80 | 179.43.134.188 | tcp |
| N/A | 20.44.180.227:443 | tcp | |
| N/A | 185.195.237.118:80 | 185.195.237.118 | tcp |
| N/A | 163.172.49.92:80 | 163.172.49.92 | tcp |
| N/A | 162.247.74.200:80 | 162.247.74.200 | tcp |
| N/A | 185.100.85.61:80 | 185.100.85.61 | tcp |
| N/A | 217.112.131.7:443 | tcp | |
| N/A | 178.162.194.210:443 | 178.162.194.210 | tcp |
| N/A | 82.223.14.245:80 | 82.223.14.245 | tcp |
| N/A | 148.251.22.104:80 | 148.251.22.104 | tcp |
| N/A | 116.203.105.60:443 | tcp | |
| N/A | 199.249.230.146:80 | 199.249.230.146 | tcp |
| N/A | 95.217.223.240:80 | 95.217.223.240 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nseD4E5.tmp\UserInfo.dll
\Users\Admin\AppData\Local\Temp\nseD4E5.tmp\System.dll
\Users\Admin\AppData\Local\Temp\obscures.dll
memory/3404-3-0x00000000022A0000-0x00000000022CB000-memory.dmp
memory/3904-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
memory/3904-6-0x0000000000400000-0x000000000049F000-memory.dmp
memory/3076-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\x64btit.txt