Analysis Overview
SHA256
821f5310b1730641b6578ac9ce0173802db407192afdb30039f941df1ff8f1c2
Threat Level: Known bad
The file Data Analytics Services Consulting Pte. Ltd was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Drops file in Windows directory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-09-16 07:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-09-16 07:31
Reported
2020-09-16 07:33
Platform
win7v200722
Max time kernel
151s
Max time network
134s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svm.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe
"C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | i.imgur.com | udp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.203.47:443 | api.ipify.org | tcp |
| N/A | 83.212.96.120:80 | 83.212.96.120 | tcp |
| N/A | 91.199.223.21:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
| N/A | 93.184.220.29:80 | crl.verisign.com | tcp |
| N/A | 217.170.206.192:80 | 217.170.206.192 | tcp |
| N/A | 216.250.97.250:443 | tcp | |
| N/A | 66.55.67.28:80 | 66.55.67.28 | tcp |
| N/A | 45.125.65.45:80 | 45.125.65.45 | tcp |
| N/A | 85.17.127.129:80 | 85.17.127.129 | tcp |
| N/A | 45.141.156.107:80 | 45.141.156.107 | tcp |
| N/A | 87.100.153.59:80 | 87.100.153.59 | tcp |
| N/A | 185.150.117.116:443 | tcp |
Files
memory/1404-0-0x0000000000000000-mapping.dmp
memory/1360-1-0x000007FEF7620000-0x000007FEF789A000-memory.dmp
memory/1404-2-0x00000000042C0000-0x0000000004342000-memory.dmp
\Users\Admin\AppData\Local\Temp\cmd.exe
C:\Users\Admin\AppData\Local\Temp\cmd.exe
\Users\Admin\AppData\Local\Temp\cmd.exe
C:\Users\Admin\AppData\Local\Temp\cmd.exe
\Users\Admin\AppData\Local\Temp\cmd.exe
C:\Users\Admin\AppData\Local\Temp\cmd.exe
\Users\Admin\AppData\Local\Temp\cmd.exe
memory/1404-10-0x0000000005570000-0x000000000560F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
memory/832-11-0x0000000000000000-mapping.dmp
memory/832-13-0x0000000000400000-0x000000000049F000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
memory/1432-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
memory/832-18-0x00000000001B0000-0x00000000001CF000-memory.dmp
memory/832-19-0x00000000001E0000-0x00000000001E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-09-16 07:31
Reported
2020-09-16 07:33
Platform
win10
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svm.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe
"C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | i.imgur.com | udp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 93.184.221.240:80 | ctldl.windowsupdate.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 131.188.40.189:80 | 131.188.40.189 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.203.47:443 | api.ipify.org | tcp |
| N/A | 176.9.75.110:80 | 176.9.75.110 | tcp |
| N/A | 37.157.254.114:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 81.17.30.33:80 | 81.17.30.33 | tcp |
| N/A | 151.237.185.110:80 | 151.237.185.110 | tcp |
| N/A | 178.254.31.125:80 | 178.254.31.125 | tcp |
| N/A | 66.230.230.230:80 | 66.230.230.230 | tcp |
| N/A | 176.123.5.150:80 | 176.123.5.150 | tcp |
| N/A | 92.38.163.21:443 | tcp | |
| N/A | 209.141.39.33:80 | 209.141.39.33 | tcp |
| N/A | 217.170.205.14:80 | 217.170.205.14 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/204-0-0x0000000000000000-mapping.dmp
memory/204-1-0x0000000006840000-0x00000000068C2000-memory.dmp
memory/204-2-0x0000000006EA0000-0x0000000006F3F000-memory.dmp
memory/1960-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
memory/1960-5-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2636-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
C:\Users\Admin\AppData\Local\Temp\x64btit.txt