Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 08:43
Behavioral task
behavioral1
Sample
Payload94.754.225.exe
Resource
win7-20240903-en
General
-
Target
Payload94.754.225.exe
-
Size
609KB
-
MD5
987a79c800f109491dcbfbc589f940f2
-
SHA1
d0a7eedc6b908ffc728f287036696fd0688436f7
-
SHA256
07457423012b530efe135d313c7c3d509c0ec8f13dacd5751ddfce7c311182c7
-
SHA512
959c7e45f4ae3ab901f7aad2ed3d5d74861aa9d812df0bf1bd499afd759a2811b98dbba43e143c3a90f8fa7c4b7d8592e1aa60402de8cc62da409c30aad118ac
-
SSDEEP
12288:KZ543M5v7Kc3ygT2lXVCllX8peI7cQitqUmyq+1pmhM:SUiL3yjXUlu0I7vitqUmyq+1paM
Malware Config
Signatures
-
Osiris family
-
Executes dropped EXE 1 IoCs
pid Process 1300 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 api.ipify.org 26 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
resource yara_rule behavioral2/memory/3948-1-0x0000000000400000-0x00000000051C1000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload94.754.225.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe 3948 Payload94.754.225.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3948 Payload94.754.225.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3948 wrote to memory of 1300 3948 Payload94.754.225.exe 84 PID 3948 wrote to memory of 1300 3948 Payload94.754.225.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload94.754.225.exe"C:\Users\Admin\AppData\Local\Temp\Payload94.754.225.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:1300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD55f2d059ff3e82973035f7b1504a538f9
SHA113b33ec820908685b98b2378fb35f6218875967e
SHA256293c3e830500832aa2fb17a9a15eb881b6e8d625604c6051b1f912f3749bb241
SHA5129f4725142ee25bfbb349025862a4d811919d22c9d7aac8de60d9ce7efe6d940669df2a54f3257a6180d967b62e665d186eb4e22dfbe6cdf887e39b589cc24b92