Analysis Overview
SHA256
4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664
Threat Level: Known bad
The file 4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664 was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-13 07:49
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-13 07:49
Reported
2021-09-13 07:52
Platform
win10v20210408
Max time kernel
152s
Max time network
115s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4032 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | C:\windows\hh.exe |
| PID 4032 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | C:\windows\hh.exe |
| PID 4032 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4032 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe
"C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe"
C:\windows\hh.exe
"C:\windows\hh.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 131.188.40.189:80 | 131.188.40.189 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 50.19.119.155:443 | api.ipify.org | tcp |
| MD | 178.17.174.232:80 | 178.17.174.232 | tcp |
| UA | 91.213.8.130:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 8.8.8.8:53 | time-a-g.nist.gov | udp |
| US | 129.6.15.28:13 | time-a-g.nist.gov | tcp |
| RU | 149.154.67.50:80 | 149.154.67.50 | tcp |
| UA | 193.218.118.116:80 | 193.218.118.116 | tcp |
| DE | 116.203.117.220:80 | 116.203.117.220 | tcp |
| US | 23.129.64.136:80 | 23.129.64.136 | tcp |
| RU | 185.17.143.216:80 | 185.17.143.216 | tcp |
| US | 204.85.191.9:80 | 204.85.191.9 | tcp |
| DE | 195.37.209.9:80 | 195.37.209.9 | tcp |
| CH | 45.90.59.63:80 | 45.90.59.63 | tcp |
| US | 162.247.74.202:80 | 162.247.74.202 | tcp |
| UA | 178.151.200.147:80 | tcp | |
| DE | 95.88.234.135:80 | 95.88.234.135 | tcp |
| US | 23.154.177.69:80 | 23.154.177.69 | tcp |
| AL | 91.230.110.146:80 | 91.230.110.146 | tcp |
| PL | 51.68.138.173:443 | tcp | |
| NL | 5.79.79.133:80 | 5.79.79.133 | tcp |
| US | 199.249.230.185:80 | 199.249.230.185 | tcp |
| RO | 37.221.67.53:80 | 37.221.67.53 | tcp |
| NL | 51.158.185.105:443 | tcp | |
| US | 199.249.230.170:80 | 199.249.230.170 | tcp |
| DE | 62.171.142.3:80 | 62.171.142.3 | tcp |
| CZ | 46.28.110.244:80 | 46.28.110.244 | tcp |
| CH | 179.43.134.188:443 | tcp | |
| IS | 185.112.144.191:80 | 185.112.144.191 | tcp |
| LU | 104.244.73.126:80 | 104.244.73.126 | tcp |
| US | 23.129.64.157:80 | 23.129.64.157 | tcp |
| CA | 192.99.11.177:443 | tcp | |
| RU | 88.214.35.61:80 | 88.214.35.61 | tcp |
| CA | 51.222.97.170:80 | 51.222.97.170 | tcp |
Files
memory/4032-114-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/1884-115-0x0000000000000000-mapping.dmp
memory/4032-116-0x00000000028A0000-0x0000000002982000-memory.dmp
memory/4032-117-0x0000000000400000-0x0000000000545000-memory.dmp
memory/4032-118-0x00000000029F0000-0x0000000002A8F000-memory.dmp
memory/732-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e5c65908ea0a6cc798c02667d9e118d6 |
| SHA1 | 81f1f5a58198ea6f1d169d61598ff1f7d3f6e621 |
| SHA256 | 2ee78663402f763a0400873f21839b50f760d97df2a4c502af33a7af5f0b7fb1 |
| SHA512 | 49a924da71ab7f0cce6fe661a1b94cf3ecd13763e46cede350fd102664a0279bd682952d31440e68a9c12e51a079299d5945982dfa17521a3df2aaffa9a689eb |
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-13 07:49
Reported
2021-09-13 07:51
Platform
win7-en
Max time kernel
156s
Max time network
144s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe
"C:\Users\Admin\AppData\Local\Temp\4177267c7688e0a4879695e76b87c4f00f91189a318288c9345a2fb3a9d50664.exe"
C:\windows\hh.exe
"C:\windows\hh.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 171.25.193.9:443 | 171.25.193.9 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 50.19.104.221:443 | api.ipify.org | tcp |
| IS | 185.112.146.73:80 | 185.112.146.73 | tcp |
| AU | 172.105.186.108:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 8.8.8.8:53 | time-a-g.nist.gov | udp |
| US | 129.6.15.28:13 | time-a-g.nist.gov | tcp |
| PL | 192.166.245.82:80 | 192.166.245.82 | tcp |
| US | 104.149.156.189:80 | tcp | |
| CH | 45.90.59.60:80 | 45.90.59.60 | tcp |
| US | 23.129.64.156:80 | 23.129.64.156 | tcp |
| NL | 185.238.129.25:80 | 185.238.129.25 | tcp |
| LV | 94.140.112.74:80 | 94.140.112.74 | tcp |
| FR | 51.15.234.136:443 | tcp | |
| FR | 51.15.250.93:80 | 51.15.250.93 | tcp |
| PL | 151.115.56.33:80 | 151.115.56.33 | tcp |
| LT | 176.223.141.106:80 | 176.223.141.106 | tcp |
| US | 23.154.177.5:80 | 23.154.177.5 | tcp |
| HU | 91.219.236.228:80 | 91.219.236.228 | tcp |
| NL | 45.12.134.108:80 | 45.12.134.108 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| HK | 103.234.220.195:80 | 103.234.220.195 | tcp |
| US | 209.141.41.225:80 | 209.141.41.225 | tcp |
| US | 74.91.113.226:443 | tcp | |
| DE | 162.55.136.199:80 | 162.55.136.199 | tcp |
| FR | 195.154.37.123:443 | tcp |
Files
memory/1136-53-0x0000000075641000-0x0000000075643000-memory.dmp
memory/844-54-0x0000000000000000-mapping.dmp
memory/1136-55-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1136-56-0x00000000020D0000-0x00000000021B2000-memory.dmp
memory/1136-57-0x0000000000400000-0x0000000000545000-memory.dmp
memory/1136-58-0x0000000002E60000-0x0000000002EFF000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1104-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 3ac29e1fd2da4b6e3b3b4b30ca6e83cf |
| SHA1 | 08c76853bb83949e26a2c9d59e6ef244d1cd74f8 |
| SHA256 | b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902 |
| SHA512 | adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e |