Analysis Overview
SHA256
62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5
Threat Level: Known bad
The file osi.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Drops file in Windows directory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-08 09:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-08 09:01
Reported
2020-10-08 09:03
Platform
win7
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\extrac32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\notepad.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\extrac32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\osi.exe
"C:\Users\Admin\AppData\Local\Temp\osi.exe"
C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\system32\extrac32.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
"907402218.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | i.imgur.com | udp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:443 | api.ipify.org | tcp |
| N/A | 195.176.3.23:80 | 195.176.3.23 | tcp |
| N/A | 51.81.32.241:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 199.195.252.47:80 | 199.195.252.47 | tcp |
| N/A | 217.112.131.24:80 | 217.112.131.24 | tcp |
| N/A | 51.83.217.221:80 | 51.83.217.221 | tcp |
| N/A | 199.249.230.108:80 | 199.249.230.108 | tcp |
| N/A | 91.219.239.92:80 | 91.219.239.92 | tcp |
| N/A | 45.64.186.102:443 | tcp | |
| N/A | 199.249.230.83:80 | 199.249.230.83 | tcp |
| N/A | 194.15.231.59:80 | 194.15.231.59 | tcp |
| N/A | 45.95.235.197:80 | 45.95.235.197 | tcp |
| N/A | 23.237.34.138:443 | tcp | |
| N/A | 127.0.0.1:32767 | tcp | |
| N/A | 198.16.92.157:80 | 198.16.92.157 | tcp |
| N/A | 184.105.221.248:80 | 184.105.221.248 | tcp |
| N/A | 85.228.232.22:443 | tcp | |
| N/A | 85.159.237.210:80 | 85.159.237.210 | tcp |
| N/A | 217.69.13.24:443 | tcp | |
| N/A | 51.81.33.249:80 | 51.81.33.249 | tcp |
| N/A | 213.183.60.21:80 | 213.183.60.21 | tcp |
| N/A | 194.15.231.59:80 | 194.15.231.59 | tcp |
| N/A | 144.217.80.80:443 | tcp | |
| N/A | 185.82.219.109:80 | 185.82.219.109 | tcp |
| N/A | 199.249.230.161:80 | 199.249.230.161 | tcp |
Files
memory/1100-0-0x0000000000000000-mapping.dmp
memory/1904-1-0x000007FEF6BB0000-0x000007FEF6E2A000-memory.dmp
memory/1100-2-0x0000000004440000-0x00000000044C2000-memory.dmp
\Users\Admin\AppData\Local\Temp\cmd.exe
| MD5 | ad7b9c14083b52bc532fba5948342b98 |
| SHA1 | ee8cbf12d87c4d388f09b4f69bed2e91682920b5 |
| SHA256 | 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae |
| SHA512 | e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1 |
memory/1100-4-0x0000000004860000-0x00000000048FF000-memory.dmp
memory/300-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
| MD5 | ad7b9c14083b52bc532fba5948342b98 |
| SHA1 | ee8cbf12d87c4d388f09b4f69bed2e91682920b5 |
| SHA256 | 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae |
| SHA512 | e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1 |
memory/300-7-0x0000000000400000-0x000000000049F000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/324-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 3ac29e1fd2da4b6e3b3b4b30ca6e83cf |
| SHA1 | 08c76853bb83949e26a2c9d59e6ef244d1cd74f8 |
| SHA256 | b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902 |
| SHA512 | adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e |
memory/300-12-0x00000000003C0000-0x00000000003DF000-memory.dmp
memory/300-13-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\938250656.dll
| MD5 | 62cdc3a40d41de66201353fca4a24feb |
| SHA1 | 46ac41a725f669b0ca0a8fed7f3ccb6c190594f1 |
| SHA256 | 6eb970a56420a3a3b101661ec5cdda5952cef5887f45a837d4a10db51930935c |
| SHA512 | c046c9035ea542fed3789bc6c92712d4d59f32b7527df9cd53297cb8aab9bfc22a0666b590bbeb955fa2a3858d0d43588b76433796cc4d121bb07298c95dbd6f |
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
memory/2024-16-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-08 09:01
Reported
2020-10-08 09:03
Platform
win10v200722
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{AB8E79CE-C1DD-4E14-AF39-E4A6EF6EBC98}\389103876.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\notepad.job | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\extrac32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\osi.exe
"C:\Users\Admin\AppData\Local\Temp\osi.exe"
C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\system32\extrac32.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Users\Admin\AppData\Local\Temp\{AB8E79CE-C1DD-4E14-AF39-E4A6EF6EBC98}\389103876.exe
"389103876.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | i.imgur.com | udp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 151.101.36.193:443 | i.imgur.com | tcp |
| N/A | 8.238.21.254:80 | ctldl.windowsupdate.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 193.23.244.244:80 | 193.23.244.244 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.227.255.202:443 | api.ipify.org | tcp |
| N/A | 5.9.156.17:80 | 5.9.156.17 | tcp |
| N/A | 88.218.92.146:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 192.160.102.166:80 | 192.160.102.166 | tcp |
| N/A | 185.205.187.69:80 | 185.205.187.69 | tcp |
| N/A | 195.123.245.141:80 | 195.123.245.141 | tcp |
| N/A | 54.38.219.133:80 | 54.38.219.133 | tcp |
| N/A | 5.9.156.17:80 | 5.9.156.17 | tcp |
| N/A | 192.160.102.166:80 | 192.160.102.166 | tcp |
| N/A | 104.218.63.75:443 | tcp | |
| N/A | 185.217.93.92:80 | 185.217.93.92 | tcp |
| N/A | 147.135.6.69:80 | 147.135.6.69 | tcp |
| N/A | 127.0.0.1:32767 | tcp | |
| N/A | 185.130.44.108:80 | 185.130.44.108 | tcp |
| N/A | 137.74.61.125:443 | tcp | |
| N/A | 213.243.138.19:80 | 213.243.138.19 | tcp |
| N/A | 95.153.31.26:80 | 95.153.31.26 | tcp |
| N/A | 89.34.27.48:80 | 89.34.27.48 | tcp |
| N/A | 162.247.74.217:443 | tcp | |
| N/A | 88.198.34.42:443 | 88.198.34.42 | tcp |
| N/A | 176.123.5.150:80 | 176.123.5.150 | tcp |
| N/A | 185.220.102.241:80 | 185.220.102.241 | tcp |
| N/A | 72.74.68.177:80 | tcp | |
| N/A | 94.142.244.16:80 | 94.142.244.16 | tcp |
| N/A | 23.129.64.100:80 | 23.129.64.100 | tcp |
Files
memory/3844-0-0x0000000000000000-mapping.dmp
memory/3844-1-0x0000000006E60000-0x0000000006EE2000-memory.dmp
memory/3844-2-0x00000000074C0000-0x000000000755F000-memory.dmp
memory/3636-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
| MD5 | 50b930137463b14f73186c7c6767a2aa |
| SHA1 | 574f512a44097275658f9c304ef0b74029e9ea46 |
| SHA256 | eb51a0c96f7de6ce8bb0386429fff83bf95cb23fa61efe499b416f1cb0fc71c9 |
| SHA512 | 7f09ca777189d95d7ca0665a29c800a5228a93437b1067d7276e05d6da07bc6adc9644f545dc35ea0267dd8e7e312b414c9a613001e4f1d600bb481d4cbff872 |
memory/3636-5-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2632-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | d27476f5f9626928a12072a824f44cb6 |
| SHA1 | 22dc38c2270f87cb9583cd5e95509809ee7ef5fa |
| SHA256 | bb0fde339876b1a45fed2c12842efef3de8c3915719cb545e20d3aa041302925 |
| SHA512 | 01766aa4a543fde5f822b61dc7b2e3be6b8a9ab16fb49cf052ba1227889c61e027c0646ebb9f5fd2bd64758977caac91e1b3532d30db8609af8dc907db2906b5 |
\Users\Admin\AppData\Local\Temp\{AB8E79CE-C1DD-4E14-AF39-E4A6EF6EBC98}\854122851.dll
| MD5 | 62cdc3a40d41de66201353fca4a24feb |
| SHA1 | 46ac41a725f669b0ca0a8fed7f3ccb6c190594f1 |
| SHA256 | 6eb970a56420a3a3b101661ec5cdda5952cef5887f45a837d4a10db51930935c |
| SHA512 | c046c9035ea542fed3789bc6c92712d4d59f32b7527df9cd53297cb8aab9bfc22a0666b590bbeb955fa2a3858d0d43588b76433796cc4d121bb07298c95dbd6f |
memory/204-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{AB8E79CE-C1DD-4E14-AF39-E4A6EF6EBC98}\389103876.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
C:\Users\Admin\AppData\Local\Temp\{AB8E79CE-C1DD-4E14-AF39-E4A6EF6EBC98}\389103876.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |