Analysis Overview
SHA256
111b63f31d1e6855b0bc722107ac4f5668a7f115fd45654625eb41a6160828c6
Threat Level: Known bad
The file isb777amx.bin was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-10-08 09:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-08 09:34
Reported
2020-10-08 09:36
Platform
win7
Max time kernel
151s
Max time network
128s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1584 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1584 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1584 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1584 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe
"C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 193.23.244.244:80 | 193.23.244.244 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.195.221:443 | api.ipify.org | tcp |
| N/A | 193.234.225.62:80 | 193.234.225.62 | tcp |
| N/A | 209.97.148.185:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 51.81.82.227:80 | 51.81.82.227 | tcp |
| N/A | 185.220.102.247:80 | 185.220.102.247 | tcp |
| N/A | 51.81.32.194:80 | 51.81.32.194 | tcp |
| N/A | 92.223.93.144:80 | 92.223.93.144 | tcp |
| N/A | 68.183.182.89:80 | 68.183.182.89 | tcp |
| N/A | 176.123.7.145:80 | 176.123.7.145 | tcp |
| N/A | 91.219.237.117:80 | 91.219.237.117 | tcp |
| N/A | 185.38.175.71:80 | 185.38.175.71 | tcp |
| N/A | 217.170.206.138:80 | 217.170.206.138 | tcp |
| N/A | 195.189.96.79:443 | tcp | |
| N/A | 212.199.61.5:80 | 212.199.61.5 | tcp |
| N/A | 185.2.31.8:443 | tcp | |
| N/A | 40.122.165.48:80 | 40.122.165.48 | tcp |
| N/A | 31.220.3.104:80 | 31.220.3.104 | tcp |
| N/A | 172.105.199.17:80 | 172.105.199.17 | tcp |
| N/A | 144.217.92.215:443 | tcp | |
| N/A | 193.234.15.60:80 | 193.234.15.60 | tcp |
| N/A | 94.16.122.65:443 | 94.16.122.65 | tcp |
| N/A | 89.41.173.138:80 | 89.41.173.138 | tcp |
| N/A | 45.95.235.86:443 | tcp | |
| N/A | 78.47.226.12:80 | 78.47.226.12 | tcp |
| N/A | 209.141.52.11:443 | tcp | |
| N/A | 172.104.208.190:80 | 172.104.208.190 | tcp |
| N/A | 5.252.176.20:80 | 5.252.176.20 | tcp |
| N/A | 51.83.37.40:80 | 51.83.37.40 | tcp |
| N/A | 194.187.249.116:443 | tcp | |
| N/A | 46.29.248.238:80 | 46.29.248.238 | tcp |
| N/A | 134.119.36.135:80 | 134.119.36.135 | tcp |
| N/A | 51.81.83.163:80 | 51.81.83.163 | tcp |
| N/A | 144.76.168.36:443 | tcp | |
| N/A | 51.81.83.152:80 | 51.81.83.152 | tcp |
| N/A | 51.15.187.209:80 | 51.15.187.209 | tcp |
Files
memory/1584-0-0x000000000703D000-0x000000000703E000-memory.dmp
memory/1584-1-0x0000000008840000-0x0000000008851000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1952-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 9b9b8a7326207241c39ae931d9249a32 |
| SHA1 | eb137a05b7b43a03d72c5bc99df0ceb4e9d3e68c |
| SHA256 | 251fef07ed8d505a75fd7965c9bd4de38ae079f38b361c28646f65568c14ac2d |
| SHA512 | c0594e1c7511fed8e67d1e0b7f053a9dbac5ad4751eff89d1011f37d26cb73d68b3e18f6a302c75afcf3c97b045a12ab4adab3760298aef96fdf26d101f07d16 |
memory/1584-6-0x0000000000290000-0x00000000002AE000-memory.dmp
memory/1584-7-0x00000000003E0000-0x00000000003E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-08 09:34
Reported
2020-10-08 09:36
Platform
win10
Max time kernel
152s
Max time network
135s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2920 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2920 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe
"C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 193.23.244.244:80 | 193.23.244.244 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.98.120:443 | api.ipify.org | tcp |
| N/A | 206.55.74.0:80 | 206.55.74.0 | tcp |
| N/A | 95.216.170.68:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 5.252.176.20:80 | 5.252.176.20 | tcp |
| N/A | 83.97.20.248:80 | tcp | |
| N/A | 95.153.31.26:80 | 95.153.31.26 | tcp |
| N/A | 208.68.4.129:80 | 208.68.4.129 | tcp |
| N/A | 144.202.15.161:443 | tcp | |
| N/A | 199.249.230.154:80 | 199.249.230.154 | tcp |
| N/A | 109.70.100.5:80 | 109.70.100.5 | tcp |
| N/A | 91.233.116.119:80 | 91.233.116.119 | tcp |
| N/A | 23.129.64.183:80 | 23.129.64.183 | tcp |
| N/A | 199.195.249.57:80 | 199.195.249.57 | tcp |
| N/A | 82.118.242.147:80 | 82.118.242.147 | tcp |
| N/A | 46.166.128.173:443 | 46.166.128.173 | tcp |
| N/A | 209.250.2.254:80 | 209.250.2.254 | tcp |
| N/A | 46.167.244.59:80 | 46.167.244.59 | tcp |
| N/A | 46.165.245.154:443 | tcp | |
| N/A | 195.37.209.9:80 | 195.37.209.9 | tcp |
| N/A | 23.129.64.182:80 | 23.129.64.182 | tcp |
| N/A | 119.59.110.192:80 | 119.59.110.192 | tcp |
| N/A | 198.251.89.198:80 | 198.251.89.198 | tcp |
| N/A | 217.69.13.24:443 | tcp | |
| N/A | 50.7.151.47:80 | 50.7.151.47 | tcp |
| N/A | 94.100.6.27:80 | 94.100.6.27 | tcp |
| N/A | 176.10.99.208:80 | 176.10.99.208 | tcp |
| N/A | 185.220.103.4:443 | tcp | |
| N/A | 217.182.196.68:80 | 217.182.196.68 | tcp |
| N/A | 54.38.52.101:80 | 54.38.52.101 | tcp |
| N/A | 195.135.194.134:80 | 195.135.194.134 | tcp |
| N/A | 198.98.54.14:443 | tcp | |
| N/A | 216.24.242.34:80 | 216.24.242.34 | tcp |
| N/A | 51.89.143.155:80 | 51.89.143.155 | tcp |
| N/A | 91.203.5.165:80 | 91.203.5.165 | tcp |
| N/A | 84.129.95.50:443 | tcp | |
| N/A | 51.81.83.161:80 | 51.81.83.161 | tcp |
| N/A | 51.81.83.157:80 | 51.81.83.157 | tcp |
Files
memory/2920-0-0x00000000071AA000-0x00000000071AB000-memory.dmp
memory/2920-1-0x0000000008C90000-0x0000000008C91000-memory.dmp
memory/1500-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 2f7cd93362177533ed5eedf1bcf55ad2 |
| SHA1 | c4135fcf4be9d57503fce7b086bf519faefc27c4 |
| SHA256 | f87ea36ae6cb5d1bbdfe9e3374cf0eb306d759ec334060f62bb3cf9f758e8b6d |
| SHA512 | 8d3c4511cfa65595272b9cd6a201445e4c0e24c15402fca63efbfb8cc6d829b8ed149d5c38c0758b87a9616d7a1b171889c7dbea846928d72719481b122b92e6 |