Analysis Overview
SHA256
82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca
Threat Level: Known bad
The file 82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-22 13:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:28
Platform
win7v20210408
Max time kernel
153s
Max time network
133s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1840 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1840 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1840 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe
"C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 171.25.193.9:443 | 171.25.193.9 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.23.145.149:443 | api.ipify.org | tcp |
| US | 199.249.230.121:80 | 199.249.230.121 | tcp |
| ES | 148.3.84.87:443 | tcp | |
| UA | 193.218.118.100:80 | 193.218.118.100 | tcp |
| LU | 104.244.75.53:80 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| CH | 176.10.99.208:80 | 176.10.99.208 | tcp |
| NL | 192.42.116.16:443 | tcp | |
| AU | 45.32.240.31:80 | 45.32.240.31 | tcp |
| JP | 172.104.85.43:443 | tcp | |
| US | 23.129.64.135:80 | 23.129.64.135 | tcp |
| US | 23.129.64.141:80 | 23.129.64.141 | tcp |
| CA | 167.114.170.156:80 | 167.114.170.156 | tcp |
| US | 38.147.122.254:80 | 38.147.122.254 | tcp |
| DE | 116.202.155.223:80 | 116.202.155.223 | tcp |
| CH | 192.33.91.187:443 | tcp | |
| HK | 103.234.220.195:80 | 103.234.220.195 | tcp |
| LU | 104.244.72.123:80 | 104.244.72.123 | tcp |
Files
memory/1840-60-0x0000000074D91000-0x0000000074D93000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/2044-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e9e636a6d2fd541c539bc43c7462fa80 |
| SHA1 | 669ad6976eb85d81d7d448b410f01102c7b31765 |
| SHA256 | 2f7e5e6f7fb432996e9baae98cd4b43a23ccda9364cf31faab4417ac27ba858f |
| SHA512 | c4277d5f0a8f377227cd8798c0d25cc865f5758e59c4f24b34703bd0061983558581ec94e583bc9e6f6a3665fa8ad3af91f2ea88123fdf1fd412137493af6dfc |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:28
Platform
win10-en-20210920
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2064 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2064 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe
"C:\Users\Admin\AppData\Local\Temp\82b13cf8f768b3830b50622eba4da3593a8a724ffcefd55793ee87a4f0ea57ca.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 131.188.40.189:80 | 131.188.40.189 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.21.173.155:443 | api.ipify.org | tcp |
| US | 45.56.90.176:80 | 45.56.90.176 | tcp |
| US | 23.129.64.174:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| SE | 193.234.15.59:80 | 193.234.15.59 | tcp |
| DK | 85.235.250.88:80 | 85.235.250.88 | tcp |
| MD | 176.123.5.4:80 | 176.123.5.4 | tcp |
| FR | 51.75.143.241:443 | tcp | |
| DE | 173.212.225.208:80 | 173.212.225.208 | tcp |
| US | 51.81.187.175:80 | 51.81.187.175 | tcp |
| SE | 193.189.100.197:80 | 193.189.100.197 | tcp |
| SG | 27.122.59.100:80 | 27.122.59.100 | tcp |
| SG | 68.183.182.89:80 | 68.183.182.89 | tcp |
| FR | 163.172.94.144:443 | tcp | |
| NL | 51.15.106.25:80 | 51.15.106.25 | tcp |
| AT | 192.36.38.33:80 | 192.36.38.33 | tcp |
| US | 204.194.29.4:80 | 204.194.29.4 | tcp |
| FR | 135.125.55.228:443 | tcp | |
| FI | 80.221.145.96:80 | 80.221.145.96 | tcp |
| US | 199.249.230.188:80 | 199.249.230.188 | tcp |
| US | 23.154.177.134:80 | 23.154.177.134 | tcp |
| SE | 80.78.23.235:443 | tcp | |
| LT | 176.223.141.106:80 | 176.223.141.106 | tcp |
| CZ | 87.236.194.23:80 | 87.236.194.23 | tcp |
| DE | 62.171.144.155:80 | 62.171.144.155 | tcp |
| US | 207.244.70.35:443 | tcp | |
| DE | 84.252.121.67:80 | 84.252.121.67 | tcp |
| RU | 62.109.4.115:80 | 62.109.4.115 | tcp |
Files
memory/2352-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 58cda39d0f582e5fecc9466f95a9afd1 |
| SHA1 | fe4be3ea8906fcb9313e105e2356085684fe9471 |
| SHA256 | a6b5cb1a02164855939885048581a5106debc1a7796612a960984361509908be |
| SHA512 | 677e4f0f0bf344e78e85876a0fda9d1dcf87991022a8f62a8c5b0b1f8b4b69fa0fdd4b67f51ea8ad7d0e5d6ddd777d59fa87f92b3df7ae60c65ccb4838cfdfa3 |