Analysis Overview
SHA256
7176b06d8ef959057db3fa2868695ee2d3e810353fb236923840903ddb47019a
Threat Level: Known bad
The file 2f50000.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Uses Tor communications
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-04 10:03
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-04 10:03
Reported
2021-05-04 10:07
Platform
win10v20210408
Max time kernel
151s
Max time network
123s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 644 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 644 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2f50000.exe
"C:\Users\Admin\AppData\Local\Temp\2f50000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 204.13.164.118:80 | 204.13.164.118 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.155.255:443 | api.ipify.org | tcp |
| N/A | 185.220.103.112:80 | 185.220.103.112 | tcp |
| N/A | 192.42.116.22:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 178.254.20.159:80 | 178.254.20.159 | tcp |
| N/A | 109.70.100.20:80 | 109.70.100.20 | tcp |
| N/A | 94.100.6.27:80 | 94.100.6.27 | tcp |
| N/A | 217.182.198.95:80 | 217.182.198.95 | tcp |
| N/A | 46.41.151.135:80 | 46.41.151.135 | tcp |
| N/A | 198.98.61.16:443 | tcp | |
| N/A | 193.234.15.59:80 | 193.234.15.59 | tcp |
| N/A | 161.35.87.45:80 | 161.35.87.45 | tcp |
| N/A | 93.40.7.94:80 | 93.40.7.94 | tcp |
| N/A | 23.129.64.248:443 | tcp | |
| N/A | 213.152.168.27:80 | 213.152.168.27 | tcp |
| N/A | 85.159.237.210:80 | 85.159.237.210 | tcp |
| N/A | 178.33.183.251:80 | 178.33.183.251 | tcp |
| N/A | 168.119.50.236:443 | tcp | |
| N/A | 192.42.115.102:80 | 192.42.115.102 | tcp |
| N/A | 62.210.37.82:80 | 62.210.37.82 | tcp |
Files
memory/2448-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 4df3636c50284e9dae973bb34c75fcc2 |
| SHA1 | 3f70898fdc89431ac413c6dccf0e243bbb0ba6e1 |
| SHA256 | 7ff3698cb1ae933bc9e05bb7d1765d3b2893ab5cd8bd4529a6855d383f97ce25 |
| SHA512 | 54c4dd5503a8a41d2c7cfd5f8740d12de328b982737e19a8506527aa97c547bf92f7527c5dedadf67aa7dca24a6ed1e2e7b9a2dc5783bf477609117662cbd47a |
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-04 10:03
Reported
2021-05-04 10:07
Platform
win7v20210410
Max time kernel
151s
Max time network
120s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 540 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 540 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 540 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\2f50000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2f50000.exe
"C:\Users\Admin\AppData\Local\Temp\2f50000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.249.42:443 | api.ipify.org | tcp |
| N/A | 212.237.100.250:80 | 212.237.100.250 | tcp |
| N/A | 116.203.107.71:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 132.145.97.191:80 | 132.145.97.191 | tcp |
| N/A | 92.223.109.49:443 | tcp | |
| N/A | 185.225.69.91:80 | 185.225.69.91 | tcp |
| N/A | 199.249.230.152:80 | 199.249.230.152 | tcp |
| N/A | 185.48.248.101:80 | 185.48.248.101 | tcp |
| N/A | 78.47.18.110:443 | 78.47.18.110 | tcp |
| N/A | 51.195.103.74:80 | 51.195.103.74 | tcp |
| N/A | 172.105.98.217:443 | tcp | |
| N/A | 77.162.229.73:80 | 77.162.229.73 | tcp |
| N/A | 192.36.38.33:443 | tcp | |
| N/A | 95.141.83.155:80 | 95.141.83.155 | tcp |
| N/A | 87.120.36.210:80 | 87.120.36.210 | tcp |
| N/A | 176.123.7.102:80 | 176.123.7.102 | tcp |
| N/A | 103.102.46.57:443 | tcp | |
| N/A | 193.169.145.66:80 | 193.169.145.66 | tcp |
| N/A | 5.135.199.13:80 | 5.135.199.13 | tcp |
Files
memory/540-59-0x0000000075A71000-0x0000000075A73000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1844-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | eddab7185b11b4c260c6233cc71b67d2 |
| SHA1 | 3bb304a2f304b09362bf484ac58bd734394fa3dd |
| SHA256 | 64aab7625aa2988a67ff2dc8e3d89d593d919e609ff3b4ef58986d015848aa7e |
| SHA512 | f94d85b3d96df3289ef538ab1a4b18fb08cfa5b581b471e6bf1303e0b141b99c9e3ad7b5ccaab60cb4b3fe6cff7648a98deea5557fb980644b6588455ef4cea5 |