Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
08-10-2020 09:01
Static task
static1
Behavioral task
behavioral1
Sample
osi.exe
Resource
win7
General
-
Target
osi.exe
-
Size
991KB
-
MD5
918b4df1f8d7b1e18e3e8fccdef3f5de
-
SHA1
9b8f84e2d239252c83d89c3179f53893574c97a1
-
SHA256
62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5
-
SHA512
bd6f8633285547160039a0730f936944f47336af5eda702332de7c23c6eefc2b3a19160dd235d1b5e18ecaefd9949ee847a1875949beac921f5890b6d3f841b8
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
cmd.exeGetX64BTIT.exe907402218.exepid process 300 cmd.exe 324 GetX64BTIT.exe 2024 907402218.exe -
Loads dropped DLL 4 IoCs
Processes:
extrac32.execmd.exepid process 1100 extrac32.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\notepad.job cmd.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 1731 IoCs
Processes:
osi.exeextrac32.execmd.exepid process 1164 osi.exe 1100 extrac32.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe 300 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
extrac32.exepid process 1100 extrac32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Suspicious use of WriteProcessMemory 89 IoCs
Processes:
osi.exeextrac32.exedescription pid process target process PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1164 wrote to memory of 1100 1164 osi.exe extrac32.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe PID 1100 wrote to memory of 300 1100 extrac32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\osi.exe"C:\Users\Admin\AppData\Local\Temp\osi.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\extrac32.exe"C:\Windows\system32\extrac32.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:300 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"4⤵
- Executes dropped EXE
PID:324 -
C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe"907402218.exe"4⤵
- Executes dropped EXE
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeMD5
ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
3ac29e1fd2da4b6e3b3b4b30ca6e83cf
SHA108c76853bb83949e26a2c9d59e6ef244d1cd74f8
SHA256b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902
SHA512adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e
-
C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exeMD5
9f385a9a69a4d9e18055743f0694976b
SHA12c2385ea964a33f803e96e364d4a05771c733921
SHA25645f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
\Users\Admin\AppData\Local\Temp\cmd.exeMD5
ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1
-
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exeMD5
9f385a9a69a4d9e18055743f0694976b
SHA12c2385ea964a33f803e96e364d4a05771c733921
SHA25645f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c
-
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\938250656.dllMD5
62cdc3a40d41de66201353fca4a24feb
SHA146ac41a725f669b0ca0a8fed7f3ccb6c190594f1
SHA2566eb970a56420a3a3b101661ec5cdda5952cef5887f45a837d4a10db51930935c
SHA512c046c9035ea542fed3789bc6c92712d4d59f32b7527df9cd53297cb8aab9bfc22a0666b590bbeb955fa2a3858d0d43588b76433796cc4d121bb07298c95dbd6f
-
memory/300-12-0x00000000003C0000-0x00000000003DF000-memory.dmpFilesize
124KB
-
memory/300-7-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/300-5-0x0000000000000000-mapping.dmp
-
memory/300-13-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/324-9-0x0000000000000000-mapping.dmp
-
memory/1100-0-0x0000000000000000-mapping.dmp
-
memory/1100-4-0x0000000004860000-0x00000000048FF000-memory.dmpFilesize
636KB
-
memory/1100-2-0x0000000004440000-0x00000000044C2000-memory.dmpFilesize
520KB
-
memory/1904-1-0x000007FEF6BB0000-0x000007FEF6E2A000-memory.dmpFilesize
2.5MB
-
memory/2024-16-0x0000000000000000-mapping.dmp