Analysis Overview
SHA256
111b63f31d1e6855b0bc722107ac4f5668a7f115fd45654625eb41a6160828c6
Threat Level: Known bad
The file isb777amx.bin was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-03 13:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-03 13:56
Reported
2020-11-03 14:06
Platform
win7v20201028
Max time kernel
600s
Max time network
583s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2036 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2036 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2036 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe
"C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.126.66:443 | api.ipify.org | tcp |
| N/A | 181.119.30.26:80 | 181.119.30.26 | tcp |
| N/A | 172.105.104.136:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 46.166.128.173:443 | 46.166.128.173 | tcp |
| N/A | 18.18.248.40:443 | tcp | |
| N/A | 45.154.35.216:80 | 45.154.35.216 | tcp |
| N/A | 109.107.35.154:80 | 109.107.35.154 | tcp |
| N/A | 31.131.4.171:80 | 31.131.4.171 | tcp |
| N/A | 185.10.68.231:80 | 185.10.68.231 | tcp |
| N/A | 81.17.30.48:80 | 81.17.30.48 | tcp |
| N/A | 198.245.50.175:80 | 198.245.50.175 | tcp |
| N/A | 46.29.250.27:80 | 46.29.250.27 | tcp |
| N/A | 195.154.237.147:80 | 195.154.237.147 | tcp |
| N/A | 176.10.99.203:80 | 176.10.99.203 | tcp |
| N/A | 13.53.172.106:443 | tcp | |
| N/A | 93.115.26.181:80 | 93.115.26.181 | tcp |
| N/A | 195.154.250.239:80 | 195.154.250.239 | tcp |
| N/A | 94.21.155.191:80 | tcp | |
| N/A | 192.42.116.16:80 | 192.42.116.16 | tcp |
| N/A | 95.217.6.94:443 | tcp | |
| N/A | 140.238.168.214:80 | 140.238.168.214 | tcp |
| N/A | 192.99.35.91:80 | 192.99.35.91 | tcp |
| N/A | 95.217.15.17:80 | 95.217.15.17 | tcp |
| N/A | 87.71.138.31:443 | tcp | |
| N/A | 209.141.38.163:80 | 209.141.38.163 | tcp |
| N/A | 172.105.61.212:443 | tcp | |
| N/A | 64.225.14.110:80 | 64.225.14.110 | tcp |
| N/A | 193.169.145.202:443 | tcp | |
| N/A | 213.239.213.190:80 | 213.239.213.190 | tcp |
| N/A | 62.102.148.69:80 | 62.102.148.69 | tcp |
| N/A | 50.7.151.47:80 | 50.7.151.47 | tcp |
| N/A | 83.97.20.39:443 | tcp | |
| N/A | 185.204.0.149:80 | 185.204.0.149 | tcp |
| N/A | 80.127.118.58:80 | tcp | |
| N/A | 81.16.33.33:80 | 81.16.33.33 | tcp |
| N/A | 5.9.98.43:443 | tcp | |
| N/A | 178.17.170.149:80 | 178.17.170.149 | tcp |
| N/A | 139.28.38.223:80 | 139.28.38.223 | tcp |
| N/A | 158.69.63.54:80 | 158.69.63.54 | tcp |
| N/A | 216.244.85.26:443 | tcp | |
| N/A | 109.70.100.19:80 | 109.70.100.19 | tcp |
| N/A | 178.73.220.18:443 | tcp |
Files
memory/2036-0-0x000000000705D000-0x000000000705E000-memory.dmp
memory/2036-1-0x0000000008860000-0x0000000008871000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/744-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | fa457f4883c7ffefd87bddc9d234e5af |
| SHA1 | ff0695b7d525a42ad5fd1c8d0d696fb4e91c3687 |
| SHA256 | debb2cad280f05addfa4e55a5e7c9ff94856909ccad093594e121d80c128fa31 |
| SHA512 | fd249acab9c67fc4d564c74460b1e895ba052bbb6edbb372142157d8230c763942d403278ea05714fca35bfebe25b5f952cd5a965305c6073441d76243e4861a |
memory/2036-6-0x0000000007020000-0x000000000703E000-memory.dmp
memory/2036-7-0x00000000002C0000-0x00000000002C1000-memory.dmp