Analysis Overview
SHA256
d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee
Threat Level: Known bad
The file d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-22 13:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:29
Platform
win7v20210408
Max time kernel
155s
Max time network
173s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1892 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1892 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1892 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1892 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
"C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.21.76.7:443 | api.ipify.org | tcp |
| SG | 209.58.180.90:80 | 209.58.180.90 | tcp |
| DE | 217.160.42.40:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| LU | 104.244.76.184:80 | 104.244.76.184 | tcp |
| US | 199.249.230.76:443 | tcp | |
| SE | 213.164.204.102:80 | 213.164.204.102 | tcp |
| DE | 5.44.101.190:443 | tcp | |
| SK | 185.48.248.101:80 | 185.48.248.101 | tcp |
| FI | 95.217.6.94:80 | 95.217.6.94 | tcp |
| LV | 46.183.217.3:80 | 46.183.217.3 | tcp |
| DE | 185.220.102.244:80 | 185.220.102.244 | tcp |
| CH | 81.17.30.48:80 | 81.17.30.48 | tcp |
| CA | 149.56.94.217:443 | tcp | |
| NO | 95.141.83.146:80 | 95.141.83.146 | tcp |
| US | 208.113.129.84:80 | 208.113.129.84 | tcp |
| DE | 84.252.121.67:80 | 84.252.121.67 | tcp |
| GB | 109.148.154.231:443 | tcp | |
| DE | 51.195.107.236:80 | 51.195.107.236 | tcp |
| US | 104.149.156.190:443 | tcp | |
| CL | 45.236.130.241:80 | 45.236.130.241 | tcp |
| FR | 52.143.157.92:80 | 52.143.157.92 | tcp |
Files
memory/1892-60-0x0000000075D51000-0x0000000075D53000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1896-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | eb9faa37247a895096d5587effc924ad |
| SHA1 | 3347a9617ee6ae066e719f99503ca3e6c05ca021 |
| SHA256 | cee29eb86cadae993516079be3a72e568f43acd139b11e400f0bc34c70cebe8a |
| SHA512 | 7e366a0330627b83812c42ff726cafaf5c8488be203c1c754df73402a6c3e46ab49f47785623bcc570b41b757347f21e94895071a4fae095d46c115c8099ca9f |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-22 13:24
Reported
2021-09-22 13:28
Platform
win10-en-20210920
Max time kernel
151s
Max time network
113s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 3608 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
"C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 194.109.206.212:80 | tcp | |
| US | 154.35.175.225:80 | 154.35.175.225 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 23.23.145.149:443 | api.ipify.org | tcp |
| BG | 82.118.254.226:80 | 82.118.254.226 | tcp |
| US | 51.81.56.74:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| FR | 195.154.36.119:80 | 195.154.36.119 | tcp |
| CH | 46.126.164.243:80 | 46.126.164.243 | tcp |
| RO | 37.221.66.254:80 | 37.221.66.254 | tcp |
| DE | 31.214.144.24:80 | 31.214.144.24 | tcp |
| DE | 45.14.233.160:80 | 45.14.233.160 | tcp |
| DE | 188.192.194.104:443 | tcp | |
| FR | 37.187.2.76:80 | 37.187.2.76 | tcp |
| US | 199.249.230.110:80 | 199.249.230.110 | tcp |
| DE | 178.63.41.58:80 | 178.63.41.58 | tcp |
| SE | 193.234.15.56:443 | tcp | |
| FR | 163.172.56.74:80 | 163.172.56.74 | tcp |
| US | 199.249.230.78:80 | 199.249.230.78 | tcp |
Files
memory/4196-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 403a27f808d460b64e7ef44f959f9472 |
| SHA1 | 3f533d3bfa0391a32f213d7a256150a01ea5bb09 |
| SHA256 | fb526ba7a49fb96f95da364ffcc16ac38e66ba857b41ec4682782761b4022154 |
| SHA512 | 99a8e0322556903821cf1745d1ddd65a60ab518701d26b1e927485f2cc66e3c9ec8fadbf963dc989c6c3564c4ee794a3a8fd6168e94ee28bc7a8df2754698663 |