Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 09:34
Static task
static1
Behavioral task
behavioral1
Sample
isb777amx.bin.exe
Resource
win7
General
-
Target
isb777amx.bin.exe
-
Size
728KB
-
MD5
5082932c741a5ff379de1c3f2edf1321
-
SHA1
a5a5f96142c6b7ca25fc451a45e9964ff4f6cd89
-
SHA256
111b63f31d1e6855b0bc722107ac4f5668a7f115fd45654625eb41a6160828c6
-
SHA512
c5470d084ba78aab5464cb2f48eb97fa2f19633834cf6cdfe2f272ae1ab7c639c2176db493511f76cb0ffa58f1b39e9bcbdeec6bc20219cfc3891c395f7a7f4e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1500 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 13 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 8110 IoCs
Processes:
isb777amx.bin.exepid process 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe 2920 isb777amx.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
isb777amx.bin.exepid process 2920 isb777amx.bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
isb777amx.bin.exedescription pid process target process PID 2920 wrote to memory of 1500 2920 isb777amx.bin.exe GetX64BTIT.exe PID 2920 wrote to memory of 1500 2920 isb777amx.bin.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:1500
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
2f7cd93362177533ed5eedf1bcf55ad2
SHA1c4135fcf4be9d57503fce7b086bf519faefc27c4
SHA256f87ea36ae6cb5d1bbdfe9e3374cf0eb306d759ec334060f62bb3cf9f758e8b6d
SHA5128d3c4511cfa65595272b9cd6a201445e4c0e24c15402fca63efbfb8cc6d829b8ed149d5c38c0758b87a9616d7a1b171889c7dbea846928d72719481b122b92e6
-
memory/1500-2-0x0000000000000000-mapping.dmp
-
memory/2920-0-0x00000000071AA000-0x00000000071AB000-memory.dmpFilesize
4KB
-
memory/2920-1-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB