Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29-12-2023 20:11
General
-
Target
02aa4aac6bc417b73d6ea452194252fe.exe
-
Size
786KB
-
MD5
02aa4aac6bc417b73d6ea452194252fe
-
SHA1
69d4e8942d6c3891a06b988ada2cb8a75fc738b5
-
SHA256
d8c56946b65ffcf4b6aa2bd510fefb626edcc2a135c07e2f0175686aa0e588e6
-
SHA512
c241466c03983fa0809836d61db44c640c2ae16d8349723327b6bf0cc5267c69ecf4c91c74ba7e948655ff3b4bf9dd72046e11d4d9a123f35f1dde40e63c4158
-
SSDEEP
12288:vyxPJa2s86jofrWEuxjcZxyPq8tf8sQ+PRtj3lDsmMHj3N6eiaFmhL+JigD:vyxPJ/s86szWEuKiflOmMDhPEhL+lD
Malware Config
Signatures
-
Osiris
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\02aa4aac6bc417b73d6ea452194252fe.exe"C:\Users\Admin\AppData\Local\Temp\02aa4aac6bc417b73d6ea452194252fe.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtFilesize
28B
MD5d3a5a780aa57a4b621e48b396b52dbe9
SHA1f01d3314e8fc975b41258bca9ccb382d50cfc30e
SHA256f5fd4b1b4eb899190dd5f6722813773d786709f64907d4cb3b5b85ede105431a
SHA5122b1459c5f02a6a5a2ad6d8b3784991bbda4c54d614c7332edbed3766aabf92fefd4c5b6cce0a64de5aa43d3a770393a9551282e629a77716cc5d312a10185c17
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeFilesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/2068-6-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-18-0x0000000010000000-0x0000000010016000-memory.dmpFilesize
88KB
-
memory/2068-2-0x0000000000460000-0x00000000004A1000-memory.dmpFilesize
260KB
-
memory/2068-7-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-8-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-9-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-4-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-15-0x0000000000150000-0x000000000021A000-memory.dmpFilesize
808KB
-
memory/2068-3-0x0000000000150000-0x000000000021A000-memory.dmpFilesize
808KB
-
memory/2068-5-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-19-0x0000000000340000-0x000000000035F000-memory.dmpFilesize
124KB
-
memory/2068-20-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-21-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-24-0x0000000000460000-0x00000000004A1000-memory.dmpFilesize
260KB
-
memory/2068-30-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-33-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB
-
memory/2068-35-0x0000000002AC0000-0x0000000002B69000-memory.dmpFilesize
676KB