Analysis Overview
SHA256
1aa2009bf625cdd1f9fce70863201c2c9fc8624edd89103fda2e49b50ba908f7
Threat Level: Known bad
The file 530000.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Uses Tor communications
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-24 11:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-24 11:17
Reported
2021-02-24 11:19
Platform
win7v20201028
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1968 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1968 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1968 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\530000.exe
"C:\Users\Admin\AppData\Local\Temp\530000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 194.109.206.212:80 | 194.109.206.212 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.214.197:443 | api.ipify.org | tcp |
| N/A | 199.249.230.166:80 | 199.249.230.166 | tcp |
| N/A | 172.105.61.212:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 185.63.253.130:80 | 185.63.253.130 | tcp |
| N/A | 82.221.128.191:443 | tcp | |
| N/A | 88.198.91.74:80 | 88.198.91.74 | tcp |
| N/A | 104.244.74.121:80 | 104.244.74.121 | tcp |
| N/A | 185.185.71.69:80 | 185.185.71.69 | tcp |
| N/A | 122.117.91.144:80 | 122.117.91.144 | tcp |
| N/A | 185.225.16.146:80 | 185.225.16.146 | tcp |
| N/A | 178.17.171.39:443 | tcp | |
| N/A | 199.249.230.144:80 | 199.249.230.144 | tcp |
| N/A | 51.195.136.190:80 | 51.195.136.190 | tcp |
| N/A | 199.249.230.87:80 | 199.249.230.87 | tcp |
| N/A | 51.161.33.20:443 | tcp | |
| N/A | 87.98.185.5:80 | 87.98.185.5 | tcp |
| N/A | 188.127.69.60:80 | 188.127.69.60 | tcp |
| N/A | 192.42.116.17:80 | 192.42.116.17 | tcp |
| N/A | 178.17.174.13:443 | tcp |
Files
memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1648-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 6dc13875f352d5685b297de103001773 |
| SHA1 | 84de3498cf19101804a437f576bd7f894682b0be |
| SHA256 | e8af1450405521907e74bcf67dd49c3a9f6288291f5cbb6459ef0de03a2d112f |
| SHA512 | cb4397cb74e6e18c1f0404d2e7971e2b6d9111fd43e929020d6fbb2a269744ac752953ad363aaff94224a1c00aa4f05751eae7b788f7895e651e08dd0da14524 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-24 11:17
Reported
2021-02-24 11:19
Platform
win10v20201028
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 796 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 796 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\530000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\530000.exe
"C:\Users\Admin\AppData\Local\Temp\530000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.252.4:443 | api.ipify.org | tcp |
| N/A | 209.141.54.197:80 | 209.141.54.197 | tcp |
| N/A | 195.154.106.60:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 91.203.144.194:80 | 91.203.144.194 | tcp |
| N/A | 45.76.115.159:80 | 45.76.115.159 | tcp |
| N/A | 46.227.68.106:80 | 46.227.68.106 | tcp |
| N/A | 109.68.191.132:80 | 109.68.191.132 | tcp |
| N/A | 199.249.230.69:80 | 199.249.230.69 | tcp |
| N/A | 85.209.158.221:443 | tcp | |
| N/A | 87.120.37.79:80 | 87.120.37.79 | tcp |
| N/A | 149.56.94.219:80 | 149.56.94.219 | tcp |
| N/A | 190.10.8.152:80 | 190.10.8.152 | tcp |
| N/A | 199.249.230.165:443 | tcp | |
| N/A | 109.70.100.18:80 | 109.70.100.18 | tcp |
| N/A | 199.249.230.104:80 | 199.249.230.104 | tcp |
| N/A | 91.121.143.199:80 | 91.121.143.199 | tcp |
| N/A | 95.216.136.34:443 | tcp | |
| N/A | 91.234.19.55:80 | 91.234.19.55 | tcp |
| N/A | 130.193.15.186:80 | 130.193.15.186 | tcp |
Files
memory/2408-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 29e63b87a82abf88b7c73dd3442aed6e |
| SHA1 | ede929efeae67bf5bbb54bd9bb4825e774854b38 |
| SHA256 | 77f2d0af447eacfa7196c3fdf3f57091168fdd4eb0f9fb9b005a0506346d2e68 |
| SHA512 | 64dbdc5d63133227293b42ab49c686b5c10640a06bccf377cd7ccba0ce7fde3a952d6fef8e6afe1a03b387aec43cfc81ee9fb0a728c3605240986c781cd84285 |