Analysis Overview
SHA256
0dbc1af2d931bdeada204f13aafb51ab3bf83a3354c32fe5076bbcc5244b7f63
Threat Level: Known bad
The file osiris_test001.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-13 08:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-13 08:16
Reported
2021-07-13 08:19
Platform
win7v20210408
Max time kernel
150s
Max time network
108s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 520 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 520 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 520 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 520 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe
"C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 204.13.164.118:80 | 204.13.164.118 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.238.218:443 | api.ipify.org | tcp |
| N/A | 209.58.180.90:80 | 209.58.180.90 | tcp |
| N/A | 45.79.124.121:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 23.129.64.158:80 | 23.129.64.158 | tcp |
| N/A | 91.143.80.147:443 | tcp | |
| N/A | 81.30.158.121:80 | 81.30.158.121 | tcp |
| N/A | 162.247.74.201:80 | 162.247.74.201 | tcp |
| N/A | 192.42.116.16:80 | 192.42.116.16 | tcp |
| N/A | 199.249.230.86:80 | 199.249.230.86 | tcp |
| N/A | 139.99.172.11:80 | 139.99.172.11 | tcp |
| N/A | 5.42.129.115:443 | tcp | |
| N/A | 87.120.37.79:80 | 87.120.37.79 | tcp |
| N/A | 213.164.204.165:80 | 213.164.204.165 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/520-59-0x0000000075891000-0x0000000075893000-memory.dmp
memory/520-60-0x0000000000270000-0x0000000000278000-memory.dmp
memory/520-61-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/520-62-0x0000000000400000-0x000000000050C000-memory.dmp
memory/916-64-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/520-66-0x0000000003070000-0x0000000003114000-memory.dmp
memory/520-67-0x0000000003320000-0x00000000034E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | be2476ced1f366ca02ccd1ebbad2417f |
| SHA1 | 639aebb07de90c61104eaced069bacdead556eaf |
| SHA256 | cf4ca065d5648e0e81b0c1541b2403bd7488c1d2d068f8b012478c2138b86861 |
| SHA512 | 85214669ad4145b83a96e76704464ee49837586e5380ca7b0735d2f5ef85fddd3c1bd8a10045b0431e6b78f493deb35306c5b01cd95fd774d4428453f4427fec |
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-13 08:16
Reported
2021-07-13 08:19
Platform
win10v20210410
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3212 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 3212 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe
"C:\Users\Admin\AppData\Local\Temp\osiris_test001.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.88.121:443 | api.ipify.org | tcp |
| N/A | 94.130.183.13:80 | 94.130.183.13 | tcp |
| N/A | 195.154.105.241:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 188.240.210.20:80 | 188.240.210.20 | tcp |
| N/A | 46.183.217.2:80 | 46.183.217.2 | tcp |
| N/A | 23.129.64.152:80 | 23.129.64.152 | tcp |
| N/A | 151.237.185.110:80 | 151.237.185.110 | tcp |
| N/A | 45.61.186.108:80 | 45.61.186.108 | tcp |
| N/A | 107.189.7.118:443 | tcp | |
| N/A | 145.239.81.58:80 | 145.239.81.58 | tcp |
| N/A | 192.166.245.237:80 | 192.166.245.237 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/3212-115-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/3212-114-0x0000000002130000-0x0000000002138000-memory.dmp
memory/3212-116-0x0000000000400000-0x000000000050C000-memory.dmp
memory/1900-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/3212-121-0x0000000003550000-0x0000000003555000-memory.dmp
memory/3212-120-0x0000000003020000-0x00000000030C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 7d64442a03a2e9f258748a012ad23e2a |
| SHA1 | 6714195b3718c09842d7063c6bd126bc11c51dd1 |
| SHA256 | b1a445660b1f62c0e0ad902ea2a8b22eee874cc6e37e8d919d481b64ba0e14a3 |
| SHA512 | d7c18f59e389a80a63331697c44f5d07a42c9f4dd2cb2fd160276bc32da24d259d1ed088c41f47651a9ba2133a6d28c5a1e05af7ed042c64eb070f5779ab0b5d |