Analysis Overview
SHA256
107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8
Threat Level: Known bad
The file 107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Osiris family
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Uses Tor communications
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 19:44
Reported
2024-11-22 19:46
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Osiris
Osiris family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe
"C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 154.35.175.225:80 | tcp | |
| US | 204.13.164.118:80 | 204.13.164.118 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| FI | 65.109.67.182:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 172.86.74.6:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| PL | 185.241.208.242:443 | tcp |
Files
memory/2736-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2736-3-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2736-4-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2736-2-0x0000000000540000-0x0000000000640000-memory.dmp
memory/2736-5-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2736-7-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-6-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-10-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-9-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-8-0x0000000000350000-0x00000000003EF000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e87f9dc1ff0a80585af0bb5350dad55a |
| SHA1 | fc982378a5cd5ec5fa571b29119a24462179ef2d |
| SHA256 | c7e24756ba074b7b40016e4331fbfe5de52614990742d09b0d5c4f09fe133bd3 |
| SHA512 | 4b81eda50b2cbecbd775d72a4995aec940350ec5f538208e68e2ce9e018fbbd0032c4eed691e46592ed761d0cb9cb90f3a291f187f63e9d4c01287976cc53866 |
memory/2736-18-0x0000000010000000-0x0000000010015000-memory.dmp
memory/2736-20-0x0000000000790000-0x00000000007AE000-memory.dmp
memory/2736-23-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-22-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-24-0x0000000000540000-0x0000000000640000-memory.dmp
memory/2736-25-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2736-28-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-29-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-34-0x0000000000350000-0x00000000003EF000-memory.dmp
memory/2736-39-0x0000000000350000-0x00000000003EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 19:44
Reported
2024-11-22 19:46
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Osiris
Osiris family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 4812 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe
"C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| SE | 171.25.193.9:443 | 171.25.193.9 | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 138.68.47.190:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.47.68.138.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 28.15.6.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 11.35.66.45.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| GB | 94.72.98.8:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 8.98.72.94.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 65.43.218.203:443 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 203.218.43.65.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| SE | 193.189.100.194:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 194.100.189.193.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 23.92.34.106:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 106.34.92.23.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| CH | 185.195.71.8:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 8.71.195.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.125.209.23.in-addr.arpa | udp |
Files
memory/4812-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/4812-2-0x0000000000610000-0x0000000000710000-memory.dmp
memory/4812-3-0x0000000000A10000-0x0000000000A64000-memory.dmp
memory/4812-4-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4812-5-0x0000000000400000-0x000000000047C000-memory.dmp
memory/4812-8-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-6-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-7-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-9-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-10-0x0000000000A80000-0x0000000000B1F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 01a253ed9300c4067dd07b4d6753407d |
| SHA1 | 85b496cb57f24d660b0bff2cfbe04c75021f8e82 |
| SHA256 | 94edd4bc14314b7507ac1087705d3132b22aab913e7069daed88bb97ea412cd9 |
| SHA512 | 5fe6ffc1892874b9bf26f078236b9b36464b1efcb8179c7517b5b3354f2f2b334e0fe1482113568818c88c21b1cdc70fcb004227972d88b3bf2f24bb86fb0228 |
memory/4812-18-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-17-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-19-0x0000000000610000-0x0000000000710000-memory.dmp
memory/4812-20-0x0000000000A10000-0x0000000000A64000-memory.dmp
memory/4812-21-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4812-23-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-25-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-28-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-30-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-33-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-35-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-37-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-39-0x0000000000A80000-0x0000000000B1F000-memory.dmp
memory/4812-42-0x0000000000A80000-0x0000000000B1F000-memory.dmp