Analysis Overview
SHA256
2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f
Threat Level: Known bad
The file test.txt was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Uses Tor communications
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-10 09:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-10 09:43
Reported
2021-09-10 09:46
Platform
win7v20210408
Max time kernel
153s
Max time network
161s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1828 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1828 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1828 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1828 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\test.txt.exe
"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| CA | 199.58.81.140:80 | 199.58.81.140 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.235.247.117:443 | api.ipify.org | tcp |
| GB | 109.148.154.231:80 | 109.148.154.231 | tcp |
| US | 23.129.64.135:443 | tcp | |
| RO | 93.115.95.38:80 | 93.115.95.38 | tcp |
| SI | 212.44.103.59:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 45.79.177.190:80 | 45.79.177.190 | tcp |
| JP | 172.105.207.42:443 | tcp | |
| RU | 88.214.35.40:80 | 88.214.35.40 | tcp |
| BG | 195.34.103.142:443 | tcp | |
| UA | 193.218.118.167:80 | 193.218.118.167 | tcp |
| LU | 91.243.85.168:443 | tcp | |
| US | 199.249.230.86:80 | 199.249.230.86 | tcp |
| DE | 91.143.87.51:443 | 91.143.87.51 | tcp |
| UA | 91.229.76.124:80 | 91.229.76.124 | tcp |
| FR | 62.210.205.228:80 | 62.210.205.228 | tcp |
| LU | 107.189.31.102:80 | 107.189.31.102 | tcp |
| MY | 202.87.221.231:443 | tcp |
Files
memory/1828-60-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1828-61-0x00000000000F0000-0x000000000018F000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1728-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e5366a5ead8bf0ec08f9e3f4438eaff2 |
| SHA1 | ce3c49a04fea3c359481e28e6a0b19b3da8c7a43 |
| SHA256 | 479c23364dc24b0896cad7371b3fb35e6d167a38a0f1d567659210364f8ca2b9 |
| SHA512 | bd6aa869e7f2dd2a8f8bd73bece7d03c810a65af6addef1bc97a8b7f5d8972575b3e870499f52cbc30d1c7d05170ffbd2227d09f17d440d21bfaf694c27ee24a |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-10 09:43
Reported
2021-09-10 09:45
Platform
win10-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4744 wrote to memory of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\test.txt.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\test.txt.exe
"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 50.16.248.208:443 | api.ipify.org | tcp |
| VN | 123.30.128.138:80 | 123.30.128.138 | tcp |
| US | 208.68.4.129:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 8.8.8.8:53 | time-a-g.nist.gov | udp |
| US | 129.6.15.28:13 | time-a-g.nist.gov | tcp |
| MY | 124.217.246.96:80 | 124.217.246.96 | tcp |
| SE | 213.164.204.171:80 | 213.164.204.171 | tcp |
| DE | 91.143.88.62:80 | 91.143.88.62 | tcp |
| RU | 2.56.241.243:80 | 2.56.241.243 | tcp |
| SG | 27.122.59.100:80 | 27.122.59.100 | tcp |
| AT | 195.144.21.182:443 | tcp | |
| US | 199.249.230.121:80 | 199.249.230.121 | tcp |
| DE | 5.100.130.237:80 | 5.100.130.237 | tcp |
| CH | 176.10.99.201:80 | 176.10.99.201 | tcp |
| RO | 193.169.145.202:443 | tcp | |
| FR | 178.20.55.18:80 | 178.20.55.18 | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| LU | 104.244.77.73:80 | 104.244.77.73 | tcp |
| ES | 31.13.188.43:443 | tcp | |
| GR | 185.4.132.135:80 | 185.4.132.135 | tcp |
| PL | 192.166.245.82:80 | 192.166.245.82 | tcp |
Files
memory/4744-115-0x0000000000400000-0x000000000049F000-memory.dmp
memory/4792-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 15d539e8e79b3c548351c6aef6af719b |
| SHA1 | ecc3ee4883d96ddf84119e43a89f0ff3679a2acc |
| SHA256 | 9536b44d18032470ab3c8dc961932d1be985efe84db4f533fbe60e050fcaa425 |
| SHA512 | fba69b5fb3c538d435b965387d5fd27d71b16df22df957d1e7545ea3df517d284775d270808718f51251b0031dafb76ca20022f7705f768fda880531db8b0893 |