Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-03-2021 18:26
General
-
Target
Secure_Viewer.exe_.exe
-
Size
1.4MB
-
MD5
0c09489446c609ba6893455661948ac7
-
SHA1
46e09d46a00ea8f151b661db6332c83695b1cf90
-
SHA256
4807f8fce08612cc316476fe34aa497188810fc10102c6c07bf18142655eb252
-
SHA512
07f3211408bb75cb25bad4042e3246320b38cd1d30d77635c38f12687bd90ca5b2f8241883aae0a956a606186b3ec0945dd4ad36c3944c1126aae98f2402ae06
Malware Config
Signatures
-
Osiris
-
Nirsoft 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe"C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\921031860.exeC:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\921031860.exe /sjson C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\book.json4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\350986977.exe"350986977.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\Oracle\Java\javapath\java.exejava.exe -jar C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\HTVwHo.jar4⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeMD5
50b930137463b14f73186c7c6767a2aa
SHA1574f512a44097275658f9c304ef0b74029e9ea46
SHA256eb51a0c96f7de6ce8bb0386429fff83bf95cb23fa61efe499b416f1cb0fc71c9
SHA5127f09ca777189d95d7ca0665a29c800a5228a93437b1067d7276e05d6da07bc6adc9644f545dc35ea0267dd8e7e312b414c9a613001e4f1d600bb481d4cbff872
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
9b005ad3011ef6da6bc6c2117f5c1bb5
SHA19a5782b5a4f7773888d5cd949df32a16854df217
SHA256af8071297ee2f51875d5b5de2f3cc63c0832bc82894e6c7f3f350fa43b4b94af
SHA512db80a2705a1e46de0e9cc9cf51cbbb9a5698ad867448544a29d333e1bfe2dcaac27d9c439450f0fb825a583567b52a6abd623561829ade8018fb43f3bead13b2
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\350986977.exeMD5
9f385a9a69a4d9e18055743f0694976b
SHA12c2385ea964a33f803e96e364d4a05771c733921
SHA25645f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\350986977.exeMD5
9f385a9a69a4d9e18055743f0694976b
SHA12c2385ea964a33f803e96e364d4a05771c733921
SHA25645f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\921031860.exeMD5
b94350c5a57401721ce013c1a76c2727
SHA1f0e946cf41e3c11d7f84736a365ec3d0b173fef4
SHA256e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58
SHA5120b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\921031860.exeMD5
b94350c5a57401721ce013c1a76c2727
SHA1f0e946cf41e3c11d7f84736a365ec3d0b173fef4
SHA256e6f88219fde1d526253de53f06fdb95ad08704c4dedbcdcf062d09db69754a58
SHA5120b3622a799f46bf3023a7ff0afde855261f2cc1a42b19c625f17333b480bd90eddb20f61a436724065c9b5372c4beee66366bfd6f3dd5aacfb5bbaa73a022193
-
C:\Users\Admin\AppData\Local\Temp\{0E0AC68D-208E-475C-A5B4-70D93319FB56}\HTVwHo.jarMD5
0f396a296d86da86087aa504eed4172b
SHA1404ab46569e2838357ab3247a16f89d27c25eb9a
SHA256ab172b437844a469c70adec06b6ea087dc8091bc37f7e02b1b42863c27f5911c
SHA5128cf92909873213e4e35c019ca53752f2e202064d0d30ab3e706618f42ee77ef9c6373042522dccd73e603a3e350936d4e517c81a04c030876aed5a5f9977fa08
-
memory/836-10-0x0000000000000000-mapping.dmp
-
memory/1084-15-0x0000000000000000-mapping.dmp
-
memory/1400-18-0x0000000000000000-mapping.dmp
-
memory/1580-24-0x0000000002B70000-0x0000000002B80000-memory.dmpFilesize
64KB
-
memory/1580-27-0x0000000002BA0000-0x0000000002BB0000-memory.dmpFilesize
64KB
-
memory/1580-39-0x0000000002C60000-0x0000000002C70000-memory.dmpFilesize
64KB
-
memory/1580-38-0x0000000002C50000-0x0000000002C60000-memory.dmpFilesize
64KB
-
memory/1580-37-0x0000000002C40000-0x0000000002C50000-memory.dmpFilesize
64KB
-
memory/1580-35-0x0000000002C20000-0x0000000002C30000-memory.dmpFilesize
64KB
-
memory/1580-36-0x0000000002C30000-0x0000000002C40000-memory.dmpFilesize
64KB
-
memory/1580-21-0x0000000000000000-mapping.dmp
-
memory/1580-34-0x0000000002C10000-0x0000000002C20000-memory.dmpFilesize
64KB
-
memory/1580-23-0x0000000002900000-0x0000000002B70000-memory.dmpFilesize
2.4MB
-
memory/1580-33-0x0000000002C00000-0x0000000002C10000-memory.dmpFilesize
64KB
-
memory/1580-25-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/1580-26-0x0000000002B90000-0x0000000002BA0000-memory.dmpFilesize
64KB
-
memory/1580-32-0x0000000002BF0000-0x0000000002C00000-memory.dmpFilesize
64KB
-
memory/1580-28-0x0000000002BB0000-0x0000000002BC0000-memory.dmpFilesize
64KB
-
memory/1580-29-0x0000000002BC0000-0x0000000002BD0000-memory.dmpFilesize
64KB
-
memory/1580-30-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/1580-31-0x0000000002BE0000-0x0000000002BF0000-memory.dmpFilesize
64KB
-
memory/3324-7-0x0000000000000000-mapping.dmp
-
memory/3324-9-0x0000000001120000-0x0000000001128000-memory.dmpFilesize
32KB
-
memory/3324-13-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/3652-3-0x0000000000000000-mapping.dmp
-
memory/3652-6-0x0000000002E10000-0x0000000002E18000-memory.dmpFilesize
32KB
-
memory/3652-5-0x00000000027D0000-0x00000000027D2000-memory.dmpFilesize
8KB
-
memory/4764-4-0x0000000002310000-0x000000000231B000-memory.dmpFilesize
44KB
-
memory/4764-2-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB