Analysis Overview
SHA256
1bb6fb4d17c2bc64645d9ea67e3f3b34c4cc3b082c70676b202ebcd59762c3c2
Threat Level: Known bad
The file 6a0000.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-05 10:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-05 10:38
Reported
2021-03-05 10:40
Platform
win7v20201028
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1932 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1932 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1932 wrote to memory of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6a0000.exe
"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 154.35.175.225:80 | 154.35.175.225 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.129.141:443 | api.ipify.org | tcp |
| N/A | 35.72.91.83:443 | 35.72.91.83 | tcp |
| N/A | 141.255.166.150:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 185.80.222.158:443 | 185.80.222.158 | tcp |
| N/A | 163.172.213.212:80 | 163.172.213.212 | tcp |
| N/A | 176.10.99.202:80 | 176.10.99.202 | tcp |
| N/A | 176.53.22.142:80 | 176.53.22.142 | tcp |
| N/A | 51.89.143.152:80 | 51.89.143.152 | tcp |
| N/A | 107.189.10.51:80 | 107.189.10.51 | tcp |
| N/A | 83.143.116.16:443 | tcp | |
| N/A | 23.129.64.223:80 | 23.129.64.223 | tcp |
| N/A | 82.192.94.125:443 | tcp | |
| N/A | 199.249.230.149:80 | 199.249.230.149 | tcp |
| N/A | 91.192.103.43:80 | 91.192.103.43 | tcp |
| N/A | 109.70.100.19:80 | 109.70.100.19 | tcp |
| N/A | 159.69.191.201:443 | tcp | |
| N/A | 79.124.7.11:80 | 79.124.7.11 | tcp |
| N/A | 78.47.226.12:443 | tcp | |
| N/A | 149.56.94.217:80 | 149.56.94.217 | tcp |
| N/A | 178.17.174.198:80 | 178.17.174.198 | tcp |
Files
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1688-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e6919afdbf29204ebf97a295dfa3e936 |
| SHA1 | e7239cdc1446c399b894c096f7b1be598a24b936 |
| SHA256 | a0e62a09b52a6a508fc59875486621a377704096ba7a4aa4b3f254f81581405d |
| SHA512 | da35a913fd542f44e474771391facccd3a1dc872c10a04ed914d03153391658420c43c42dc26877a22cf811a3e812a3d211efe76ca9f93ff7b5d024b5b5145c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-05 10:38
Reported
2021-03-05 10:40
Platform
win10v20201028
Max time kernel
151s
Max time network
120s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 504 wrote to memory of 492 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 504 wrote to memory of 492 | N/A | C:\Users\Admin\AppData\Local\Temp\6a0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6a0000.exe
"C:\Users\Admin\AppData\Local\Temp\6a0000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.217.168.205:443 | tcp | |
| N/A | 216.58.211.105:443 | tcp | |
| N/A | 216.58.211.105:443 | tcp | |
| N/A | 216.58.211.105:443 | tcp | |
| N/A | 172.217.17.74:443 | tcp | |
| N/A | 172.217.168.238:443 | tcp | |
| N/A | 172.217.17.68:443 | tcp | |
| N/A | 172.217.20.67:80 | tcp | |
| N/A | 67.199.248.17:80 | tcp | |
| N/A | 172.217.20.67:80 | tcp | |
| N/A | 142.250.179.129:443 | tcp | |
| N/A | 154.35.175.225:80 | 154.35.175.225 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:443 | api.ipify.org | tcp |
| N/A | 62.210.125.130:80 | 62.210.125.130 | tcp |
| N/A | 185.100.84.212:443 | tcp | |
| N/A | 216.58.211.105:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 5.2.69.21:80 | 5.2.69.21 | tcp |
| N/A | 103.200.210.66:80 | 103.200.210.66 | tcp |
| N/A | 185.86.148.90:80 | 185.86.148.90 | tcp |
| N/A | 136.244.108.143:80 | 136.244.108.143 | tcp |
| N/A | 97.69.218.38:80 | 97.69.218.38 | tcp |
| N/A | 109.74.195.223:443 | tcp | |
| N/A | 135.148.33.96:80 | 135.148.33.96 | tcp |
| N/A | 87.120.37.79:80 | 87.120.37.79 | tcp |
| N/A | 195.154.252.88:80 | 195.154.252.88 | tcp |
| N/A | 85.212.18.186:443 | tcp | |
| N/A | 95.141.36.127:80 | 95.141.36.127 | tcp |
| N/A | 51.77.111.67:80 | 51.77.111.67 | tcp |
| N/A | 179.43.190.10:80 | 179.43.190.10 | tcp |
| N/A | 104.37.193.102:443 | tcp | |
| N/A | 135.148.33.131:80 | 135.148.33.131 | tcp |
| N/A | 103.35.74.74:80 | 103.35.74.74 | tcp |
Files
memory/492-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | efe080540179c771d3f5fb83ed67a6c6 |
| SHA1 | 880d14b09dd8243bce981a589c8d0ba2d5917247 |
| SHA256 | 1f04cc948752ccf1534fe74074d043a9acab0c02802d1ba8d1aa5d562779dc7a |
| SHA512 | efac3dfaf3407eaa7604d9ca424f310df103430767e16c91b203d1d3f7a5f31729173d82d709db52f9b12133b16f0b7b2c66344e79c91cde499544c08964e5c1 |