Analysis Overview
SHA256
605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260
Threat Level: Known bad
The file 605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260 was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Uses Tor communications
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-18 12:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-18 12:29
Reported
2021-05-19 02:27
Platform
win7v20210408
Max time kernel
150s
Max time network
167s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1796 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1796 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1796 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe
"C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 199.58.81.140:80 | tcp | |
| N/A | 171.25.193.9:443 | tcp | |
| N/A | 66.111.2.131:9030 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 66.111.2.131:9030 | tcp | |
| N/A | 204.13.164.118:80 | tcp | |
| N/A | 66.111.2.131:9030 | tcp |
Files
memory/1796-59-0x0000000076641000-0x0000000076643000-memory.dmp
memory/1796-60-0x0000000008390000-0x00000000083E4000-memory.dmp
memory/1796-62-0x0000000008450000-0x00000000084EF000-memory.dmp
memory/1796-61-0x0000000000400000-0x0000000006C5A000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1164-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | ebc99b8fff3a6ff144ca58f73d2b9d7b |
| SHA1 | 9f2e6623fd0074cd3f9dbb59d184d32098d83133 |
| SHA256 | a29526f00c9f0de050c7003624ddc94e1dd0419f16c99b328d67f073352ac535 |
| SHA512 | 9acc3b34348403ec74f2bb234f6f4853e771815fd517a573a6c6dcb9c73083d385fa16970e3953ee0b366716dbd012442cf1399d3064e0c5c2928dde72e7a198 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-18 12:29
Reported
2021-05-19 02:27
Platform
win10v20210410
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2228 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe
"C:\Users\Admin\AppData\Local\Temp\605255cd417fde0180da116df7deeba2a7a0db6dcda35baf5f68ef8a97449260.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 131.188.40.189:80 | 131.188.40.189 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:443 | api.ipify.org | tcp |
| N/A | 199.195.249.82:80 | 199.195.249.82 | tcp |
| N/A | 124.109.1.207:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 43.252.37.14:80 | 43.252.37.14 | tcp |
| N/A | 129.13.131.140:80 | 129.13.131.140 | tcp |
| N/A | 46.59.65.88:80 | 46.59.65.88 | tcp |
| N/A | 45.79.49.223:80 | 45.79.49.223 | tcp |
| N/A | 23.129.64.209:80 | 23.129.64.209 | tcp |
| N/A | 94.16.106.192:80 | 94.16.106.192 | tcp |
| N/A | 178.63.18.218:80 | 178.63.18.218 | tcp |
| N/A | 198.98.51.151:80 | 198.98.51.151 | tcp |
| N/A | 209.141.51.120:443 | 209.141.51.120 | tcp |
| N/A | 198.245.60.21:443 | tcp | |
| N/A | 107.189.30.22:80 | 107.189.30.22 | tcp |
| N/A | 107.189.10.143:80 | 107.189.10.143 | tcp |
| N/A | 179.43.146.230:80 | 179.43.146.230 | tcp |
| N/A | 148.251.22.104:443 | tcp | |
| N/A | 178.17.174.198:80 | 178.17.174.198 | tcp |
| N/A | 46.232.248.243:80 | 46.232.248.243 | tcp |
| N/A | 38.147.122.253:80 | 38.147.122.253 | tcp |
| N/A | 91.213.233.138:443 | tcp | |
| N/A | 199.249.230.179:80 | 199.249.230.179 | tcp |
| N/A | 213.164.204.38:80 | 213.164.204.38 | tcp |
| N/A | 192.42.113.101:80 | 192.42.113.101 | tcp |
| N/A | 142.4.213.88:443 | tcp | |
| N/A | 199.249.230.77:80 | 199.249.230.77 | tcp |
| N/A | 178.63.97.34:80 | 178.63.97.34 | tcp |
| N/A | 91.143.88.62:80 | 91.143.88.62 | tcp |
| N/A | 51.159.139.61:443 | tcp | |
| N/A | 109.70.100.8:80 | 109.70.100.8 | tcp |
| N/A | 80.90.39.25:80 | 80.90.39.25 | tcp |
Files
memory/2228-114-0x0000000008860000-0x00000000088B4000-memory.dmp
memory/2172-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/2228-115-0x0000000000400000-0x0000000006C5A000-memory.dmp
memory/2228-119-0x0000000008910000-0x00000000089AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 7d64442a03a2e9f258748a012ad23e2a |
| SHA1 | 6714195b3718c09842d7063c6bd126bc11c51dd1 |
| SHA256 | b1a445660b1f62c0e0ad902ea2a8b22eee874cc6e37e8d919d481b64ba0e14a3 |
| SHA512 | d7c18f59e389a80a63331697c44f5d07a42c9f4dd2cb2fd160276bc32da24d259d1ed088c41f47651a9ba2133a6d28c5a1e05af7ed042c64eb070f5779ab0b5d |