Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 08:43
Behavioral task
behavioral1
Sample
Payload94.754.225.exe
Resource
win7-20240903-en
General
-
Target
Payload94.754.225.exe
-
Size
609KB
-
MD5
987a79c800f109491dcbfbc589f940f2
-
SHA1
d0a7eedc6b908ffc728f287036696fd0688436f7
-
SHA256
07457423012b530efe135d313c7c3d509c0ec8f13dacd5751ddfce7c311182c7
-
SHA512
959c7e45f4ae3ab901f7aad2ed3d5d74861aa9d812df0bf1bd499afd759a2811b98dbba43e143c3a90f8fa7c4b7d8592e1aa60402de8cc62da409c30aad118ac
-
SSDEEP
12288:KZ543M5v7Kc3ygT2lXVCllX8peI7cQitqUmyq+1pmhM:SUiL3yjXUlu0I7vitqUmyq+1paM
Malware Config
Signatures
-
Osiris family
-
Executes dropped EXE 1 IoCs
pid Process 1728 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
pid Process 2404 Payload94.754.225.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 3 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
resource yara_rule behavioral1/memory/2404-1-0x0000000000400000-0x00000000051C1000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload94.754.225.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe 2404 Payload94.754.225.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2404 Payload94.754.225.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1728 2404 Payload94.754.225.exe 30 PID 2404 wrote to memory of 1728 2404 Payload94.754.225.exe 30 PID 2404 wrote to memory of 1728 2404 Payload94.754.225.exe 30 PID 2404 wrote to memory of 1728 2404 Payload94.754.225.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload94.754.225.exe"C:\Users\Admin\AppData\Local\Temp\Payload94.754.225.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:1728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28B
MD58e73bc29a1620bf4b23ce0d48e0310b9
SHA1a6fd2062bb70763efcb6bc4e12b9657db4f570e6
SHA25667ab5e8f19b7afe82632755290bb7680637a4c330f3bf6307b51877ae9a7d7fc
SHA51252e01ce74c4911c2b359423ca4bce9481ea79077eb7c4fa968d0c70dc2dcec6794de16af73b7a8c386f773219cf511d93c71ad4ab118d4de59db93abb8958440
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e