Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5e6764534b...5d.exe

windows7-x64

10

5e6764534b...5d.exe

windows10-2004-x64

10

Resubmissions

24/09/2022, 21:20 UTC

220924-z6qdtaddbl 10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2022, 21:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e6764534b3a1e4d3abacc4810b6985d.exe

  • Size

    740KB

  • MD5

    5e6764534b3a1e4d3abacc4810b6985d

  • SHA1

    f10ad287f126f577f197070453812a7e88c2cc52

  • SHA256

    e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0

  • SHA512

    532d2855e1b21433dbcc9c803f0538d99f6c3bddf0dd8321f552c7d16914dce4c2d2d3abd8028f45a4cf18109d430251d8fe8c63d30627e6fcc27d54cb42a188

  • SSDEEP

    12288:az1bWgRkItsxHeYfpGcix2wytmyKsqVwoiFNoQEN5:+RkItsl7fofyKsqVwoiFNoQE3

Score
10/10
osirisbankerbotnet

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe
    "C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\System32\wermgr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1732

Network

  • flag-us
    GET
    http://128.31.0.39/tor/status-vote/current/consensus
    wermgr.exe
    Remote address:
    128.31.0.39:9131
    Request
    GET /tor/status-vote/current/consensus HTTP/1.0
    Host: 128.31.0.39
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:20:24 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Sat, 24 Sep 2022 22:00:00 GMT
    Vary: X-Or-Diff-From-Consensus
  • flag-us
    DNS
    api.ipify.org
    wermgr.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api.ipify.org.herokudns.com
    api.ipify.org.herokudns.com
    IN A
    54.91.59.199
    api.ipify.org.herokudns.com
    IN A
    52.20.78.240
    api.ipify.org.herokudns.com
    IN A
    3.232.242.170
    api.ipify.org.herokudns.com
    IN A
    3.220.57.224
  • flag-fr
    GET
    http://51.15.249.81/tor/server/fp/bd815c93e9d87ffb32206c3540bd8559003d3325
    wermgr.exe
    Remote address:
    51.15.249.81:80
    Request
    GET /tor/server/fp/bd815c93e9d87ffb32206c3540bd8559003d3325 HTTP/1.0
    Host: 51.15.249.81
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:20:27 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:20:27 GMT
  • flag-us
    DNS
    www.convert-unix-time.com
    wermgr.exe
    Remote address:
    8.8.8.8:53
    Request
    www.convert-unix-time.com
    IN A
    Response
    www.convert-unix-time.com
    IN CNAME
    convert-unix-time.com
    convert-unix-time.com
    IN A
    185.241.55.132
  • flag-us
    GET
    http://144.172.118.4/tor/server/fp/5bae48b5efa717a4648f3af26467ccbba3bb65ae
    wermgr.exe
    Remote address:
    144.172.118.4:80
    Request
    GET /tor/server/fp/5bae48b5efa717a4648f3af26467ccbba3bb65ae HTTP/1.0
    Host: 144.172.118.4
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:20:31 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:20:31 GMT
  • flag-cz
    GET
    http://37.157.197.143/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    wermgr.exe
    Remote address:
    37.157.197.143:80
    Request
    GET /tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc HTTP/1.0
    Host: 37.157.197.143
    Response
    HTTP/1.0 503 Directory busy, try again later
    Date: Sat, 24 Sep 2022 21:20:32 GMT
  • flag-dk
    GET
    http://185.38.175.133/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    wermgr.exe
    Remote address:
    185.38.175.133:80
    Request
    GET /tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc HTTP/1.0
    Host: 185.38.175.133
    Response
    HTTP/1.0 503 Directory busy, try again later
    Date: Sat, 24 Sep 2022 21:20:32 GMT
  • flag-nl
    GET
    http://103.214.6.211/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    wermgr.exe
    Remote address:
    103.214.6.211:80
    Request
    GET /tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc HTTP/1.0
    Host: 103.214.6.211
    Response
    HTTP/1.1 503 Directory busy, try again later
    Server: nginx/1.18.0
    Date: Sat, 24 Sep 2022 21:20:35 GMT
    Connection: close
  • flag-us
    GET
    http://199.249.230.157/tor/server/fp/b6f1113306787d4f58faac2759aff0b2eb429441
    wermgr.exe
    Remote address:
    199.249.230.157:80
    Request
    GET /tor/server/fp/b6f1113306787d4f58faac2759aff0b2eb429441 HTTP/1.0
    Host: 199.249.230.157
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:20:35 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:20:35 GMT
  • flag-ca
    GET
    http://192.160.102.164/tor/server/fp/fe00a3a835680e67fbbc895a724e2657bb253e97
    wermgr.exe
    Remote address:
    192.160.102.164:80
    Request
    GET /tor/server/fp/fe00a3a835680e67fbbc895a724e2657bb253e97 HTTP/1.0
    Host: 192.160.102.164
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:21:08 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:21:08 GMT
  • flag-de
    GET
    http://5.189.181.61/tor/server/fp/53134d9637d9fbe565fa1e3af82b23cc964c56d6
    wermgr.exe
    Remote address:
    5.189.181.61:80
    Request
    GET /tor/server/fp/53134d9637d9fbe565fa1e3af82b23cc964c56d6 HTTP/1.0
    Host: 5.189.181.61
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:21:53 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:21:53 GMT
  • flag-bg
    GET
    http://77.220.198.179/tor/server/fp/66e19e8c4773086f669a1e06a3f8c23b6c079129
    wermgr.exe
    Remote address:
    77.220.198.179:80
    Request
    GET /tor/server/fp/66e19e8c4773086f669a1e06a3f8c23b6c079129 HTTP/1.0
    Host: 77.220.198.179
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:21:56 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:21:56 GMT
  • flag-us
    GET
    http://199.249.230.167/tor/server/fp/cc8b218ed3615827a5dcf008fc62598def533b4f
    wermgr.exe
    Remote address:
    199.249.230.167:80
    Request
    GET /tor/server/fp/cc8b218ed3615827a5dcf008fc62598def533b4f HTTP/1.0
    Host: 199.249.230.167
    Response
    HTTP/1.0 200 OK
    Date: Sat, 24 Sep 2022 21:22:35 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 154.61.71.50
    Content-Encoding: identity
    Expires: Mon, 26 Sep 2022 21:22:35 GMT
  • 128.31.0.39:9131
    http://128.31.0.39/tor/status-vote/current/consensus
    http
    wermgr.exe
    44.0kB
     2.6MB
     955
    1873

    HTTP Request

    GET http://128.31.0.39/tor/status-vote/current/consensus

    HTTP Response

    200
  • 54.91.59.199:443
    api.ipify.org
    tls
    wermgr.exe
    394 B
     259 B
     6
    6
  • 51.15.249.81:80
    http://51.15.249.81/tor/server/fp/bd815c93e9d87ffb32206c3540bd8559003d3325
    http
    wermgr.exe
    369 B
     3.0kB
     6
    6

    HTTP Request

    GET http://51.15.249.81/tor/server/fp/bd815c93e9d87ffb32206c3540bd8559003d3325

    HTTP Response

    200
  • 50.230.231.84:80
    tls, http
    wermgr.exe
    3.1kB
     4.8kB
     14
    11
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 144.172.118.4:80
    http://144.172.118.4/tor/server/fp/5bae48b5efa717a4648f3af26467ccbba3bb65ae
    http
    wermgr.exe
    416 B
     4.4kB
     7
    7

    HTTP Request

    GET http://144.172.118.4/tor/server/fp/5bae48b5efa717a4648f3af26467ccbba3bb65ae

    HTTP Response

    200
  • 37.157.197.143:80
    http://37.157.197.143/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    http
    wermgr.exe
    325 B
     297 B
     5
    5

    HTTP Request

    GET http://37.157.197.143/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc

    HTTP Response

    503
  • 185.38.175.133:80
    http://185.38.175.133/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    http
    wermgr.exe
    325 B
     297 B
     5
    5

    HTTP Request

    GET http://185.38.175.133/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc

    HTTP Response

    503
  • 103.214.6.211:80
    http://103.214.6.211/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc
    http
    wermgr.exe
    324 B
     338 B
     5
    5

    HTTP Request

    GET http://103.214.6.211/tor/server/fp/ba9d7fb9ab4ed0fbca56941da22cf7770ba1a4bc

    HTTP Response

    503
  • 199.249.230.157:80
    http://199.249.230.157/tor/server/fp/b6f1113306787d4f58faac2759aff0b2eb429441
    http
    wermgr.exe
    372 B
     2.7kB
     6
    6

    HTTP Request

    GET http://199.249.230.157/tor/server/fp/b6f1113306787d4f58faac2759aff0b2eb429441

    HTTP Response

    200
  • 172.106.10.110:443
    tls
    wermgr.exe
    372 B
     259 B
     6
    6
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 192.160.102.164:80
    http://192.160.102.164/tor/server/fp/fe00a3a835680e67fbbc895a724e2657bb253e97
    http
    wermgr.exe
    464 B
     7.9kB
     8
    10

    HTTP Request

    GET http://192.160.102.164/tor/server/fp/fe00a3a835680e67fbbc895a724e2657bb253e97

    HTTP Response

    200
  • 199.249.230.65:443
    tls
    wermgr.exe
    372 B
     259 B
     6
    6
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 5.189.181.61:80
    http://5.189.181.61/tor/server/fp/53134d9637d9fbe565fa1e3af82b23cc964c56d6
    http
    wermgr.exe
    369 B
     3.8kB
     6
    7

    HTTP Request

    GET http://5.189.181.61/tor/server/fp/53134d9637d9fbe565fa1e3af82b23cc964c56d6

    HTTP Response

    200
  • 37.59.76.255:443
    tls, https
    wermgr.exe
    1.9kB
     4.2kB
     11
    12
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 77.220.198.179:80
    http://77.220.198.179/tor/server/fp/66e19e8c4773086f669a1e06a3f8c23b6c079129
    http
    wermgr.exe
    573 B
     7.9kB
     10
    11

    HTTP Request

    GET http://77.220.198.179/tor/server/fp/66e19e8c4773086f669a1e06a3f8c23b6c079129

    HTTP Response

    200
  • 199.249.230.86:443
    tls
    wermgr.exe
    372 B
     259 B
     6
    6
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 199.249.230.167:80
    http://199.249.230.167/tor/server/fp/cc8b218ed3615827a5dcf008fc62598def533b4f
    http
    wermgr.exe
    372 B
     2.9kB
     6
    6

    HTTP Request

    GET http://199.249.230.167/tor/server/fp/cc8b218ed3615827a5dcf008fc62598def533b4f

    HTTP Response

    200
  • 45.14.233.159:443
    tls
    wermgr.exe
    279 B
     179 B
     4
    4
  • 185.241.55.132:80
    www.convert-unix-time.com
    wermgr.exe
    152 B
     120 B
     3
    3
  • 8.8.8.8:53
    api.ipify.org
    dns
    wermgr.exe
    59 B
     164 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    54.91.59.199
    52.20.78.240
    3.232.242.170
    3.220.57.224

  • 8.8.8.8:53
    www.convert-unix-time.com
    dns
    wermgr.exe
    71 B
     101 B
     1
    1

    DNS Request

    www.convert-unix-time.com

    DNS Response

    185.241.55.132

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/360-54-0x0000000000400000-0x00000000004B9000-memory.dmp

    Filesize

    740KB

    Download

  • memory/1732-56-0x0000000075771000-0x0000000075773000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1732-57-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1732-58-0x0000000000220000-0x000000000023D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1732-59-0x0000000000130000-0x00000000001CA000-memory.dmp

    Filesize

    616KB

    Download

  • memory/1732-60-0x00000000001D0000-0x00000000001D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1732-61-0x0000000000130000-0x00000000001CA000-memory.dmp

    Filesize

    616KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.