Analysis Overview
SHA256
0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506
Threat Level: Known bad
The file 0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506 was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-22 13:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:29
Platform
win7v20210408
Max time kernel
160s
Max time network
158s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1660 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1660 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1660 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe
"C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.23.145.149:443 | api.ipify.org | tcp |
| DE | 45.14.233.159:80 | 45.14.233.159 | tcp |
| JP | 172.107.201.134:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| ZA | 160.119.253.103:80 | 160.119.253.103 | tcp |
| PL | 145.239.84.172:443 | tcp | |
| US | 209.141.59.180:80 | 209.141.59.180 | tcp |
| LU | 107.189.13.94:80 | 107.189.13.94 | tcp |
| RO | 37.221.66.253:80 | 37.221.66.253 | tcp |
| RO | 93.115.86.4:80 | 93.115.86.4 | tcp |
| FR | 62.210.125.130:80 | 62.210.125.130 | tcp |
| HU | 185.225.69.91:80 | 185.225.69.91 | tcp |
| US | 67.3.181.198:443 | tcp | |
| DE | 116.203.245.170:80 | 116.203.245.170 | tcp |
| FR | 141.94.71.180:443 | tcp | |
| LU | 107.189.30.230:80 | 107.189.30.230 | tcp |
| US | 192.241.252.63:80 | 192.241.252.63 | tcp |
| FR | 31.36.109.74:80 | 31.36.109.74 | tcp |
| US | 144.172.118.4:443 | tcp | |
| CY | 213.169.148.151:80 | 213.169.148.151 | tcp |
| SE | 213.164.206.127:80 | 213.164.206.127 | tcp |
Files
memory/1660-60-0x00000000762C1000-0x00000000762C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/2036-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 4de524ccc76be92b055260f11b690b1b |
| SHA1 | 801f26a75783c3b1b76f1e1f0d7920ac21b86baf |
| SHA256 | d0f05d96817b5bcdb3eec3034032772a80dabff4fcd30e07da70a23e60b47d59 |
| SHA512 | 0e798f89d8f69b1211810fa95a54be792c064b57b7aa46b29dfea4f53b7a10b6dcc2a9e4a89009b81ba08c43b00657f93051b39e728c1044d1cfc1d60287d2ae |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:28
Platform
win10-en-20210920
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1952 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe
"C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 154.35.175.225:80 | 154.35.175.225 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.21.76.7:443 | api.ipify.org | tcp |
| DE | 80.241.214.102:80 | 80.241.214.102 | tcp |
| DE | 91.7.119.244:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 8.8.8.8:53 | time-a-g.nist.gov | udp |
| US | 129.6.15.28:13 | time-a-g.nist.gov | tcp |
| US | 8.8.8.8:53 | time.nist.gov | udp |
| US | 132.163.96.6:13 | time.nist.gov | tcp |
| GR | 185.4.132.183:80 | 185.4.132.183 | tcp |
| GB | 109.148.154.231:80 | 109.148.154.231 | tcp |
| CA | 142.166.114.234:80 | 142.166.114.234 | tcp |
| US | 23.129.64.161:80 | 23.129.64.161 | tcp |
| CA | 54.39.176.60:80 | 54.39.176.60 | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| SE | 198.167.199.129:443 | tcp | |
| NL | 62.112.10.154:80 | 62.112.10.154 | tcp |
| PL | 192.166.245.122:80 | 192.166.245.122 | tcp |
| SG | 209.58.180.90:80 | 209.58.180.90 | tcp |
| PL | 145.239.84.172:80 | tcp | |
| DE | 62.113.216.177:80 | 62.113.216.177 | tcp |
| PT | 5.154.174.241:80 | 5.154.174.241 | tcp |
| N/A | 213.164.206.127:80 | tcp |
Files
memory/2088-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | a301758665410b46c9376d0293094003 |
| SHA1 | b5c32e665e70a9082688491cb5d3b0664cb64de5 |
| SHA256 | a57a9da455db4b412adea31eb167ac067c49c9c3bd1b08c88b929dbca9ec0c34 |
| SHA512 | b13eced25f8444561b0557ee60db6b9ceed09ef0a422f81aced96b50dbf5cc3ba8a75eb14419edd042d4a437fbf8f1bbd0d1ab24be7ace3fa2aa5dd7fc9c1766 |