Overview

overview

10

Static

static

0430.exe

windows7_x64

10

0430.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0430.exe

  • Size

    1.2MB

  • MD5

    0f21bac0d5d8570953996a2aa417ddc3

  • SHA1

    68ccbb4e6d58ba69e1515ac0fe16a886b49ec01c

  • SHA256

    f919093797c9392b74e2c55de01ae57892d871a11752b945e291b270c076b732

  • SHA512

    3c779bf7a065f97e08c06704d4eb851597e9c46f18be71ecfaef51262859e98078eb1ec9fa354fa8cba26c753a2dbe4d3a6b763a3b9a15db63bf7a2596c11649

Score
10/10
osirisbankerbotnet

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0430.exe
    "C:\Users\Admin\AppData\Local\Temp\0430.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\windows\hh.exe
      "C:\windows\hh.exe"
      2⤵
        PID:4012
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        2⤵
        • Executes dropped EXE
        PID:784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      MD5

      b4cd27f2b37665f51eb9fe685ec1d373

      SHA1

      7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

      SHA256

      91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

      SHA512

      e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      MD5

      b4cd27f2b37665f51eb9fe685ec1d373

      SHA1

      7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

      SHA256

      91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

      SHA512

      e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
      MD5

      2e98da1f5140ccffb0f95fdd3224d9f1

      SHA1

      85a0f735625731ea599371b7b89b0d39b629dea6

      SHA256

      cc947fad01a6a93943b221db7d82573f6b254df8fbe512509e510171755a8a66

      SHA512

      1433b52c6949345d18ea853e8c1b8af009f3d5119c7f4ef5127e53d4ce20af0ec408597d90f861418431ce3b935e0831f4f6785fdd12c8024e1d5866b072343e

      Download Submit

    • memory/784-119-0x0000000000000000-mapping.dmp

      Download

    • memory/3716-114-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3716-116-0x00000000029A0000-0x0000000002A82000-memory.dmp

      Filesize

      904KB

      Download

    • memory/3716-117-0x0000000000400000-0x0000000000545000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3716-118-0x0000000002AF0000-0x0000000002B8F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/4012-115-0x0000000000000000-mapping.dmp

      Download