Analysis Overview
SHA256
01d5f1b32235b5d5ba5970d56639d82aa3d83b57ec08c79b3580fd0c88ef1c29
Threat Level: Known bad
The file osiris.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Uses Tor communications
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-11 12:07
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-11 12:07
Reported
2021-02-11 12:09
Platform
win10v20201028
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4808 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\osiris.exe
"C:\Users\Admin\AppData\Local\Temp\osiris.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 193.23.244.244:80 | tcp | |
| N/A | 194.109.206.212:80 | tcp | |
| N/A | 193.23.244.244:80 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.164.148:443 | api.ipify.org | tcp |
| N/A | 193.23.244.244:80 | tcp | |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 37.120.174.249:80 | 37.120.174.249 | tcp |
| N/A | 45.128.133.242:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 209.141.59.180:80 | 209.141.59.180 | tcp |
| N/A | 195.80.151.30:80 | 195.80.151.30 | tcp |
| N/A | 185.4.132.148:80 | 185.4.132.148 | tcp |
| N/A | 209.141.53.10:80 | 209.141.53.10 | tcp |
| N/A | 193.218.118.62:80 | 193.218.118.62 | tcp |
| N/A | 172.104.136.137:443 | tcp | |
| N/A | 178.162.194.210:443 | 178.162.194.210 | tcp |
| N/A | 193.234.15.60:80 | 193.234.15.60 | tcp |
| N/A | 54.39.16.73:80 | 54.39.16.73 | tcp |
| N/A | 50.7.74.171:80 | 50.7.74.171 | tcp |
| N/A | 149.56.233.142:443 | tcp | |
| N/A | 192.160.102.164:80 | 192.160.102.164 | tcp |
| N/A | 109.70.100.13:80 | 109.70.100.13 | tcp |
| N/A | 172.81.131.111:80 | 172.81.131.111 | tcp |
| N/A | 141.98.136.79:443 | tcp | |
| N/A | 185.80.222.164:80 | 185.80.222.164 | tcp |
| N/A | 23.81.66.90:80 | 23.81.66.90 | tcp |
Files
memory/3424-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 86b4b4bb58e9b33f53de7ae2260835c3 |
| SHA1 | 55e17d13537076d5c267dc3c6572ff653e0591e2 |
| SHA256 | 8826ea90454c3a3c566c243fcc2ce5e528006c7cbc925a4fc79cc8c7f9327630 |
| SHA512 | 79103136af90443917f2666920c08aceffe52730b9da2a98514f8296a0a296ea081fdefd34d4aa3ccdec68e2d2256cb26160639e7d0091af289044dd84b08d9c |
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-11 12:07
Reported
2021-02-11 12:09
Platform
win7v20201028
Max time kernel
151s
Max time network
144s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 792 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 792 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 792 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 792 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\osiris.exe
"C:\Users\Admin\AppData\Local\Temp\osiris.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 199.58.81.140:80 | 199.58.81.140 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.140.41:443 | api.ipify.org | tcp |
| N/A | 109.70.100.24:80 | 109.70.100.24 | tcp |
| N/A | 79.134.235.243:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 109.70.100.20:80 | 109.70.100.20 | tcp |
| N/A | 104.218.63.74:80 | 104.218.63.74 | tcp |
| N/A | 178.17.170.149:80 | 178.17.170.149 | tcp |
| N/A | 104.244.73.85:80 | 104.244.73.85 | tcp |
| N/A | 135.148.33.112:80 | 135.148.33.112 | tcp |
| N/A | 192.52.167.71:443 | tcp | |
| N/A | 54.38.219.251:80 | 54.38.219.251 | tcp |
| N/A | 193.29.35.205:80 | 193.29.35.205 | tcp |
| N/A | 107.189.10.143:80 | 107.189.10.143 | tcp |
| N/A | 109.248.149.155:443 | tcp | |
| N/A | 130.193.15.49:80 | 130.193.15.49 | tcp |
| N/A | 46.166.161.21:443 | tcp | |
| N/A | 89.35.34.33:80 | 89.35.34.33 | tcp |
| N/A | 149.202.208.203:443 | tcp |
Files
memory/792-2-0x00000000765E1000-0x00000000765E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1268-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | b72a722fcb48f103a08800a76dc0dbf4 |
| SHA1 | e2192ef4d2abf227843ebca141b5ab358a4f941e |
| SHA256 | 319d60c12cf2e7997bb15859b7096869f2eaa015569c203c2c122a8b35daa8a9 |
| SHA512 | ac1f86ae7010ff483951fdbe3669b2039c47463ec834c22f426c3f763abba408d7aee5d43c7c3e166872102ae48c497a343ab42aa5bfef53dd0f31f9ffd2d916 |