Analysis Overview
SHA256
0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506
Threat Level: Known bad
The file 0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506 was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-22 14:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-22 14:12
Reported
2021-09-22 14:15
Platform
win7v20210408
Max time kernel
157s
Max time network
151s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1816 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1816 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1816 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 1816 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe
"C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 171.25.193.9:443 | 171.25.193.9 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.243.51.135:443 | api.ipify.org | tcp |
| NO | 185.243.218.27:80 | 185.243.218.27 | tcp |
| DE | 83.135.135.131:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 209.141.54.7:80 | 209.141.54.7 | tcp |
| DE | 51.195.107.236:80 | 51.195.107.236 | tcp |
| LU | 107.189.30.75:80 | 107.189.30.75 | tcp |
| LU | 107.189.13.102:443 | tcp | |
| UA | 45.141.156.107:80 | 45.141.156.107 | tcp |
| FR | 195.154.252.88:443 | tcp | |
| BG | 94.155.49.47:80 | 94.155.49.47 | tcp |
| US | 147.135.4.68:80 | 147.135.4.68 | tcp |
| NL | 51.158.147.73:443 | tcp | |
| DE | 194.145.150.15:80 | 194.145.150.15 | tcp |
| HU | 217.197.176.155:443 | tcp | |
| RO | 37.221.65.250:80 | 37.221.65.250 | tcp |
| RO | 93.115.86.4:80 | 93.115.86.4 | tcp |
| DE | 84.252.121.67:80 | 84.252.121.67 | tcp |
| FI | 185.185.170.27:80 | 185.185.170.27 | tcp |
| US | 23.129.64.163:80 | 23.129.64.163 | tcp |
| DE | 93.104.209.61:80 | 93.104.209.61 | tcp |
| US | 199.249.230.69:443 | tcp | |
| US | 199.249.230.146:80 | 199.249.230.146 | tcp |
| NL | 82.94.251.227:443 | tcp | |
| US | 199.249.230.114:80 | 199.249.230.114 | tcp |
| US | 199.249.230.179:80 | 199.249.230.179 | tcp |
Files
memory/1816-60-0x0000000075511000-0x0000000075513000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1316-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 2f817e749114e9459f382799153346f8 |
| SHA1 | 0bf83907d041e72586fcc7d9e7d1880dd5a258b6 |
| SHA256 | d4b6be6cf551eca59c537223fae23eb93b086692d6045b65d8cc355d518a6463 |
| SHA512 | ac04f29c0633f4002607d9b7d5567a2b0cb6edb7edf495f118cebc7bb8453ab669b314d8b08d47e265df245782d59513401d74b9df4e31450fda7d4af19ab8c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-22 14:12
Reported
2021-09-22 14:15
Platform
win10-en-20210920
Max time kernel
151s
Max time network
110s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 3608 wrote to memory of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe
"C:\Users\Admin\AppData\Local\Temp\0905e3a59d5e98d625d3d70d0148b1c18523d230f4e6ef5ef0d9147e25c8f506.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 194.109.206.212:80 | tcp | |
| DE | 131.188.40.189:80 | 131.188.40.189 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.235.247.117:443 | api.ipify.org | tcp |
| RO | 193.169.145.202:80 | 193.169.145.202 | tcp |
| US | 209.141.35.75:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 45.63.67.113:80 | 45.63.67.113 | tcp |
| FR | 95.142.161.63:80 | 95.142.161.63 | tcp |
| CH | 185.32.221.201:80 | 185.32.221.201 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| FI | 185.204.1.239:80 | 185.204.1.239 | tcp |
| CA | 198.100.148.205:443 | tcp | |
| BG | 185.82.219.109:80 | 185.82.219.109 | tcp |
| DE | 193.31.24.154:80 | 193.31.24.154 | tcp |
| CH | 176.10.99.202:80 | 176.10.99.202 | tcp |
| JP | 50.31.252.28:443 | tcp | |
| US | 199.249.230.78:80 | 199.249.230.78 | tcp |
| UA | 91.203.145.114:80 | 91.203.145.114 | tcp |
Files
memory/4196-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 403a27f808d460b64e7ef44f959f9472 |
| SHA1 | 3f533d3bfa0391a32f213d7a256150a01ea5bb09 |
| SHA256 | fb526ba7a49fb96f95da364ffcc16ac38e66ba857b41ec4682782761b4022154 |
| SHA512 | 99a8e0322556903821cf1745d1ddd65a60ab518701d26b1e927485f2cc66e3c9ec8fadbf963dc989c6c3564c4ee794a3a8fd6168e94ee28bc7a8df2754698663 |