Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 08:35
Behavioral task
behavioral1
Sample
Payload 94.75 (4).225.exe
Resource
win7-20240903-en
General
-
Target
Payload 94.75 (4).225.exe
-
Size
609KB
-
MD5
987a79c800f109491dcbfbc589f940f2
-
SHA1
d0a7eedc6b908ffc728f287036696fd0688436f7
-
SHA256
07457423012b530efe135d313c7c3d509c0ec8f13dacd5751ddfce7c311182c7
-
SHA512
959c7e45f4ae3ab901f7aad2ed3d5d74861aa9d812df0bf1bd499afd759a2811b98dbba43e143c3a90f8fa7c4b7d8592e1aa60402de8cc62da409c30aad118ac
-
SSDEEP
12288:KZ543M5v7Kc3ygT2lXVCllX8peI7cQitqUmyq+1pmhM:SUiL3yjXUlu0I7vitqUmyq+1paM
Malware Config
Signatures
-
Osiris family
-
Executes dropped EXE 1 IoCs
pid Process 2436 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 api.ipify.org 33 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
resource yara_rule behavioral2/memory/1376-1-0x0000000000400000-0x00000000051C1000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload 94.75 (4).225.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe 1376 Payload 94.75 (4).225.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 Payload 94.75 (4).225.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2436 1376 Payload 94.75 (4).225.exe 86 PID 1376 wrote to memory of 2436 1376 Payload 94.75 (4).225.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload 94.75 (4).225.exe"C:\Users\Admin\AppData\Local\Temp\Payload 94.75 (4).225.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD5041c9f01d3bce7038fc2dd9f02c7afea
SHA1954ca3575fdd9575fe3f0bf073568db29bd760e1
SHA2560c81082be3bcfee9ba35db8d0bf0668d9d8e926e43acbbd46b1aaf1dc9907e18
SHA5127fb2c4dc5da52db3d06a1eae56d0c9bc6badcf19a76f5022cb5c5ac3e8cef5ee2eb409e452b447f9e5c27a23c6f0692d58b50e346a62c998e660449b0bac3550