Analysis Overview
SHA256
4bd4ccdaefa72f9326ba93542ddc447f6df1452a6f626a54d43c3a4c37e23968
Threat Level: Known bad
The file 2bb0000.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-04 09:27
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-04 09:27
Reported
2021-05-04 09:29
Platform
win10v20210410
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2116 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2bb0000.exe
"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 194.109.206.212:80 | 194.109.206.212 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.144.221:443 | api.ipify.org | tcp |
| N/A | 162.247.74.206:80 | 162.247.74.206 | tcp |
| N/A | 23.129.64.209:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 45.32.240.31:80 | 45.32.240.31 | tcp |
| N/A | 185.112.82.50:80 | 185.112.82.50 | tcp |
| N/A | 88.115.22.244:80 | 88.115.22.244 | tcp |
| N/A | 134.209.159.74:80 | 134.209.159.74 | tcp |
| N/A | 23.239.10.144:80 | 23.239.10.144 | tcp |
| N/A | 62.128.111.118:443 | tcp | |
| N/A | 37.28.154.68:80 | 37.28.154.68 | tcp |
| N/A | 161.35.87.45:80 | 161.35.87.45 | tcp |
| N/A | 199.249.230.78:80 | 199.249.230.78 | tcp |
| N/A | 185.100.85.132:443 | tcp | |
| N/A | 138.59.18.106:80 | 138.59.18.106 | tcp |
| N/A | 45.154.255.71:80 | 45.154.255.71 | tcp |
| N/A | 193.218.118.155:80 | 193.218.118.155 | tcp |
| N/A | 101.100.146.147:443 | tcp | |
| N/A | 199.249.230.105:80 | 199.249.230.105 | tcp |
| N/A | 66.175.208.248:80 | 66.175.208.248 | tcp |
Files
memory/1392-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 7d64442a03a2e9f258748a012ad23e2a |
| SHA1 | 6714195b3718c09842d7063c6bd126bc11c51dd1 |
| SHA256 | b1a445660b1f62c0e0ad902ea2a8b22eee874cc6e37e8d919d481b64ba0e14a3 |
| SHA512 | d7c18f59e389a80a63331697c44f5d07a42c9f4dd2cb2fd160276bc32da24d259d1ed088c41f47651a9ba2133a6d28c5a1e05af7ed042c64eb070f5779ab0b5d |
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-04 09:27
Reported
2021-05-04 09:29
Platform
win7v20210408
Max time kernel
154s
Max time network
128s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1920 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1920 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1920 wrote to memory of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb0000.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2bb0000.exe
"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 131.188.40.189:80 | 131.188.40.189 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.157.230:443 | api.ipify.org | tcp |
| N/A | 185.220.102.248:80 | 185.220.102.248 | tcp |
| N/A | 45.90.162.90:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 192.36.38.33:80 | 192.36.38.33 | tcp |
| N/A | 125.237.199.159:443 | tcp | |
| N/A | 45.90.58.97:80 | 45.90.58.97 | tcp |
| N/A | 185.99.2.124:80 | 185.99.2.124 | tcp |
| N/A | 139.99.98.191:80 | 139.99.98.191 | tcp |
| N/A | 176.123.10.177:80 | 176.123.10.177 | tcp |
| N/A | 109.70.100.1:80 | 109.70.100.1 | tcp |
| N/A | 51.79.147.151:443 | tcp | |
| N/A | 37.157.253.35:80 | 37.157.253.35 | tcp |
| N/A | 185.35.78.200:80 | 185.35.78.200 | tcp |
| N/A | 198.50.191.95:80 | 198.50.191.95 | tcp |
| N/A | 223.132.149.199:443 | tcp | |
| N/A | 5.154.174.241:80 | 5.154.174.241 | tcp |
| N/A | 8.26.21.143:443 | tcp | |
| N/A | 109.69.67.17:80 | 109.69.67.17 | tcp |
| N/A | 94.158.245.75:80 | 94.158.245.75 | tcp |
Files
memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1264-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 3ac29e1fd2da4b6e3b3b4b30ca6e83cf |
| SHA1 | 08c76853bb83949e26a2c9d59e6ef244d1cd74f8 |
| SHA256 | b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902 |
| SHA512 | adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e |