Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-01-2021 11:56
General
-
Target
6729001591617.bin.exe
-
Size
3.6MB
-
MD5
8e8f7ff797c292231959e4dd410a98da
-
SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49
-
SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b
-
SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27
Malware Config
Signatures
-
Osiris
-
Executes dropped EXE 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2348 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
cab2646d12422b439756b9c2fa3a33f4
SHA1ed61d2200b97e6ad340f099c7b12bb0882d80b2c
SHA2561130ace7f8377a70533907a4c1e956793b5722ce029b32816a8120b1184f62ea
SHA512646918acfe050a463f788e044a12434a3c558a048e3f5e4afc6a682d11b9d48e6e4870c10853f1e66f144300f28d375d0432e60ce547e893fce565c9501d7124
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/784-8-0x0000000000FA0000-0x000000000101B000-memory.dmpFilesize
492KB
-
memory/784-9-0x0000000002F40000-0x00000000030C0000-memory.dmpFilesize
1.5MB
-
memory/784-2-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1512-14-0x0000000000000000-mapping.dmp
-
memory/1684-11-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1684-12-0x00000000023A0000-0x0000000002449000-memory.dmpFilesize
676KB
-
memory/1684-10-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1684-5-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1684-4-0x0000000000000000-mapping.dmp
-
memory/1684-17-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB