Analysis Overview
SHA256
107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8
Threat Level: Known bad
The file 107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe was found to be: Known bad.
Malicious Activity Summary
Osiris
Osiris family
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Uses Tor communications
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 19:47
Reported
2024-11-22 19:49
Platform
win7-20240903-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Osiris
Osiris family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2232 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2232 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 2232 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe
"C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 162.251.119.2:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| IE | 193.1.12.167:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 108.181.22.201:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| PL | 185.241.208.164:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| NL | 80.82.76.55:443 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 199.250.204.206:443 | tcp |
Files
memory/2232-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2232-2-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2232-3-0x0000000000220000-0x0000000000274000-memory.dmp
memory/2232-4-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2232-5-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2232-7-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-6-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-10-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-9-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-8-0x0000000000480000-0x000000000051F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | e54affface1f009cf8ec205c4e886156 |
| SHA1 | 9c5a5b12ec02f0b0944c812ac2faa0dec0d82da0 |
| SHA256 | 80a450dd3f6840d37a904ace63200c94eb246a4625618ec94c2f27baf8ce2775 |
| SHA512 | fcbf0f0ec4090d843867454a93328306f5b26fae038505091ce2b148c06ca1bd320e14f708915f46ec6e4ddacd3a9f19a53dd9eb4b0226cb8876fcaa4a2c3bf4 |
memory/2232-20-0x00000000007B0000-0x00000000007CE000-memory.dmp
memory/2232-18-0x0000000010000000-0x0000000010015000-memory.dmp
memory/2232-22-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-23-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-24-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-25-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-26-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2232-27-0x0000000000220000-0x0000000000274000-memory.dmp
memory/2232-28-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2232-34-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-36-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-42-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-47-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-46-0x0000000000480000-0x000000000051F000-memory.dmp
memory/2232-52-0x0000000000480000-0x000000000051F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 19:47
Reported
2024-11-22 19:49
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Osiris
Osiris family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
| PID 5076 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe
"C:\Users\Admin\AppData\Local\Temp\107c83149d4b19b7875d6ec1e0251899662d48dcd13996b9e07a93d378f156b8.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 194.109.206.212:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| SE | 171.25.193.9:443 | 171.25.193.9 | tcp |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| SE | 193.189.100.205:443 | tcp | |
| US | 8.8.8.8:53 | time-a.nist.gov | udp |
| US | 129.6.15.28:13 | time-a.nist.gov | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.35.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.100.189.193.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 28.15.6.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 23.129.64.214:443 | tcp | |
| US | 8.8.8.8:53 | 214.64.129.23.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| FR | 80.67.167.81:443 | tcp | |
| US | 8.8.8.8:53 | 81.167.67.80.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 23.82.137.28:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 28.137.82.23.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 84.161.144.132:443 | tcp | |
| US | 8.8.8.8:53 | 132.144.161.84.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| SE | 46.246.44.53:443 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 53.44.246.46.in-addr.arpa | udp |
Files
memory/5076-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/5076-2-0x0000000000590000-0x0000000000690000-memory.dmp
memory/5076-4-0x0000000000400000-0x000000000047C000-memory.dmp
memory/5076-3-0x0000000000400000-0x0000000000456000-memory.dmp
memory/5076-5-0x0000000000400000-0x000000000047C000-memory.dmp
memory/5076-6-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-7-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-8-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-9-0x0000000000960000-0x00000000009FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/5076-10-0x0000000000960000-0x00000000009FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | f6c63267dc26d028b216899884727fe5 |
| SHA1 | 3dc14c9238e5a21a87b809a613bbd602a08a9c17 |
| SHA256 | 03752ec747a148b54b9e190129a37365d5a694201830cadcbb93880b7393f2ec |
| SHA512 | 0f25b0cdf79335091661798cbdc754e4833a833e1ca7a49253cfe2bb7650829b91e5187569a5a41aa7a0417880387542f9c8b0c1404cbe2e299abede8b1dc2f0 |
memory/5076-17-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-18-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-19-0x0000000000590000-0x0000000000690000-memory.dmp
memory/5076-20-0x0000000000400000-0x0000000000456000-memory.dmp
memory/5076-24-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-26-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-29-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-31-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-33-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-36-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-39-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-40-0x0000000000960000-0x00000000009FF000-memory.dmp
memory/5076-43-0x0000000000960000-0x00000000009FF000-memory.dmp