osiris | 821f5310b1730641b6578ac9ce0173802db407192afdb30039f941df1ff8f1c2

General

Target

Data Analytics Services Consulting Pte. Ltd.exe
Size

1.5MB
MD5

53a9319f71e5c132dc2ec045908f627d
SHA1

a5a3904a9e99bb8a1d637a4d60163ebedcc85ffc
SHA256

821f5310b1730641b6578ac9ce0173802db407192afdb30039f941df1ff8f1c2
SHA512

8f26e1ac756f4c67db83228b7a9647b7edd3d9614a45829e1a413603758e5272dca861af616397be2b737085c694d88ad729dc7ab3f512c138f70d15ee36e30f

Score

10^/10

banker botnet osiris

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exeGetX64BTIT.exe

pid process

2040 cmd.exe
1168 cmd.exe
1164 cmd.exe
832 cmd.exe
1432 GetX64BTIT.exe
Loads dropped DLL 5 IoCs

Processes:

ipconfig.execmd.exe

pid process

1404 ipconfig.exe
1404 ipconfig.exe
1404 ipconfig.exe
1404 ipconfig.exe
832 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\svm.job cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1404 ipconfig.exe

pid	process
2040	cmd.exe
1168	cmd.exe
1164	cmd.exe
832	cmd.exe
1432	GetX64BTIT.exe

pid	process
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe
832	cmd.exe

flow	ioc
12	api.ipify.org
13	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\svm.job	cmd.exe

pid	process
1404	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1676 IoCs

Processes:

Data Analytics Services Consulting Pte. Ltd.exeipconfig.execmd.exe

pid	process
1156	Data Analytics Services Consulting Pte. Ltd.exe
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe
832	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ipconfig.exe

pid process

1404 ipconfig.exe
1404 ipconfig.exe
1404 ipconfig.exe
1404 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

832 cmd.exe

pid	process
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe
1404	ipconfig.exe

pid	process
832	cmd.exe

Suspicious use of WriteProcessMemory 115 IoCs

Processes:

Data Analytics Services Consulting Pte. Ltd.exeipconfig.exe

description	pid	process	target process
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1156 wrote to memory of 1404	1156	Data Analytics Services Consulting Pte. Ltd.exe	ipconfig.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 2040	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1168	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe
PID 1404 wrote to memory of 1164	1404	ipconfig.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe
"C:\Users\Admin\AppData\Local\Temp\Data Analytics Services Consulting Pte. Ltd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
2⤵
- Loads dropped DLL
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:832

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Download Submit
memory/832-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/832-18-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/832-11-0x0000000000000000-mapping.dmp

Download
memory/832-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1360-1-0x000007FEF7620000-0x000007FEF789A000-memory.dmp

Filesize
2.5MB

Download
memory/1404-10-0x0000000005570000-0x000000000560F000-memory.dmp

Filesize
636KB

Download
memory/1404-0-0x0000000000000000-mapping.dmp

Download
memory/1404-2-0x00000000042C0000-0x0000000004342000-memory.dmp

Filesize
520KB

Download
memory/1432-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing