Analysis Overview
SHA256
da767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e
Threat Level: Known bad
The file c7c0d5c274eadf534eea3203e6c026258144c68e was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Uses Tor communications
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-16 15:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-16 15:33
Reported
2021-02-16 15:35
Platform
win7v20201028
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 732 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 732 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 732 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 732 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe
"C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 199.58.81.140:80 | 199.58.81.140 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.126.66:443 | api.ipify.org | tcp |
| N/A | 135.148.33.142:80 | 135.148.33.142 | tcp |
| N/A | 163.172.136.125:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 51.81.35.71:80 | 51.81.35.71 | tcp |
| N/A | 79.133.36.68:443 | tcp | |
| N/A | 31.184.198.152:80 | 31.184.198.152 | tcp |
| N/A | 185.242.180.72:80 | 185.242.180.72 | tcp |
| N/A | 185.246.152.22:80 | 185.246.152.22 | tcp |
| N/A | 51.38.134.104:80 | 51.38.134.104 | tcp |
| N/A | 135.125.101.54:80 | 135.125.101.54 | tcp |
| N/A | 193.182.144.53:443 | tcp | |
| N/A | 195.154.255.174:80 | 195.154.255.174 | tcp |
| N/A | 173.249.8.113:80 | 173.249.8.113 | tcp |
| N/A | 185.63.253.130:443 | tcp | |
| N/A | 176.123.5.193:80 | 176.123.5.193 | tcp |
| N/A | 104.238.188.98:80 | tcp | |
| N/A | 78.47.18.110:443 | 78.47.18.110 | tcp |
| N/A | 135.148.33.76:80 | 135.148.33.76 | tcp |
| N/A | 147.135.78.157:80 | 147.135.78.157 | tcp |
| N/A | 81.30.158.121:443 | tcp | |
| N/A | 192.36.38.33:80 | 192.36.38.33 | tcp |
| N/A | 161.35.87.45:443 | tcp |
Files
memory/732-2-0x0000000075D01000-0x0000000075D03000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1464-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | f9ebc1b7776ae0b130f59b6b68452140 |
| SHA1 | 4792decb20a4719716f6dc4ff9507de8a51f98f4 |
| SHA256 | 70f9e16e6f323cbfd03e4b9f171ddfe42462e7fe22dfee92df3ee8af2b84cb39 |
| SHA512 | 0867fa9be2655f29270040f1cb35cb5c12164342639cf3ddc6f79668e3f01237405c23afab823d432669fa744f84252bed258735dba17df2f0f9d99da8951d56 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-16 15:33
Reported
2021-02-16 15:35
Platform
win10v20201028
Max time kernel
65s
Max time network
128s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4092 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4092 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4092 wrote to memory of 3292 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe |
| PID 4092 wrote to memory of 3292 | N/A | C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe | C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe
"C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
"1621222759.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1124
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.21:443 | tcp | |
| N/A | 199.58.81.140:80 | 199.58.81.140 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.48.44:443 | api.ipify.org | tcp |
| N/A | 98.225.157.78:80 | 98.225.157.78 | tcp |
| N/A | 199.249.230.111:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 52.231.11.34:80 | 52.231.11.34 | tcp |
| N/A | 198.50.191.95:80 | 198.50.191.95 | tcp |
| N/A | 109.70.100.6:80 | 109.70.100.6 | tcp |
| N/A | 37.157.253.35:80 | 37.157.253.35 | tcp |
| N/A | 185.196.2.251:80 | 185.196.2.251 | tcp |
| N/A | 78.47.41.28:443 | tcp | |
| N/A | 135.148.33.91:80 | 135.148.33.91 | tcp |
| N/A | 93.115.86.6:80 | 93.115.86.6 | tcp |
| N/A | 216.10.247.146:80 | 216.10.247.146 | tcp |
| N/A | 46.38.235.14:80 | 46.38.235.14 | tcp |
| N/A | 192.42.116.27:443 | tcp | |
| N/A | 67.163.135.106:80 | 67.163.135.106 | tcp |
| N/A | 23.129.64.237:80 | 23.129.64.237 | tcp |
| N/A | 127.0.0.1:32767 | tcp | |
| N/A | 185.220.102.253:80 | 185.220.102.253 | tcp |
| N/A | 85.25.213.211:80 | tcp | |
| N/A | 199.249.230.79:80 | 199.249.230.79 | tcp |
| N/A | 51.15.190.109:443 | tcp | |
| N/A | 135.148.33.142:80 | 135.148.33.142 | tcp |
| N/A | 192.144.37.127:80 | 192.144.37.127 | tcp |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/2464-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | a742ab998f10bc57fefced9174d4f4f5 |
| SHA1 | 7deca2a2f7a5dda43cc429d84ec68d6dc34edcb6 |
| SHA256 | 3f050f8f9cdde50075e189c6f7a76508f3b9585ec7025974221fe893d4c8ae03 |
| SHA512 | 415fb9e5e69dd38eb59deba84863671643717d0a12b0a1dc9a1ced38dabf01dff63b0a4ef4d3ab20305bc865deb73c174fde61616513328fbb41b401e8742ec1 |
memory/3292-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
| MD5 | 9f385a9a69a4d9e18055743f0694976b |
| SHA1 | 2c2385ea964a33f803e96e364d4a05771c733921 |
| SHA256 | 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216 |
| SHA512 | e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c |
memory/1164-9-0x0000000004FA0000-0x0000000004FA1000-memory.dmp