Resubmissions
09-04-2024 12:50
240409-p3e4kaaf7v 1009-04-2024 12:50
240409-p3d69saf7s 1009-04-2024 12:50
240409-p3dkqsfd36 1009-04-2024 12:50
240409-p3cy7saf61 10Analysis
-
max time kernel
1200s -
max time network
1201s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
osiris.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
osiris.exe
Resource
win10-20240319-en
Behavioral task
behavioral3
Sample
osiris.exe
Resource
win10v2004-20240226-en
General
-
Target
osiris.exe
-
Size
434KB
-
MD5
64876d5de7061e925e29f6a0c87cea9b
-
SHA1
51d6ed277b85b07974d450a9b3441c780467613f
-
SHA256
01d5f1b32235b5d5ba5970d56639d82aa3d83b57ec08c79b3580fd0c88ef1c29
-
SHA512
2dfe245cd058d10ac35c441238c52dcb08db8c565786d5824baf9cbd2846f2a4803709d4e9850add7f4c8e6ea5f37c23c66423820a9d6af2b7da8ddf74b6cb1b
-
SSDEEP
12288:rXPcLcbGfVylwG/ZDCK/ScBXo8TsyMkKMY8m7WOK9SATTsx/SA/WegYfdNbrqnuv:rXh6XcBXo8TsL8Y8m/ATTySA/DrfdNbV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4260 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 api.ipify.org 23 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe 3260 osiris.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3260 osiris.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3260 wrote to memory of 4260 3260 osiris.exe 89 PID 3260 wrote to memory of 4260 3260 osiris.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\osiris.exe"C:\Users\Admin\AppData\Local\Temp\osiris.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:4260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD59fa60c5f103bd63d670ccd64b03f630b
SHA18549ecdd44a0a5dce2fabdcf746c3dae4eb17abc
SHA256871a86e5cf0ecce5cb95c37640b8b781ac12cdc59fb35dfceeef00231939df66
SHA512fdfe394e79b589cf1019f3e87a65a737fad299d3e2c8e7ccd0373cccfa8286bd156533284c5b8219aa1cac8c84a2b2491dc5dcbd531782657e956f7dd2094956