osiris | 62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5

General

Target

osi.exe
Size

991KB
MD5

918b4df1f8d7b1e18e3e8fccdef3f5de
SHA1

9b8f84e2d239252c83d89c3179f53893574c97a1
SHA256

62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5
SHA512

bd6f8633285547160039a0730f936944f47336af5eda702332de7c23c6eefc2b3a19160dd235d1b5e18ecaefd9949ee847a1875949beac921f5890b6d3f841b8

Score

10^/10

spyware banker botnet osiris

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 3 IoCs

Processes:

cmd.exeGetX64BTIT.exe907402218.exe

pid process

300 cmd.exe
324 GetX64BTIT.exe
2024 907402218.exe
Loads dropped DLL 4 IoCs

Processes:

extrac32.execmd.exe

pid process

1100 extrac32.exe
300 cmd.exe
300 cmd.exe
300 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\notepad.job cmd.exe

pid	process
300	cmd.exe
324	GetX64BTIT.exe
2024	907402218.exe

pid	process
1100	extrac32.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe

flow	ioc
13	api.ipify.org
14	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\notepad.job	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 1731 IoCs

Processes:

osi.exeextrac32.execmd.exe

pid	process
1164	osi.exe
1100	extrac32.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe
300	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

extrac32.exe

pid process

1100 extrac32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

300 cmd.exe

pid	process
1100	extrac32.exe

pid	process
300	cmd.exe

Suspicious use of WriteProcessMemory 89 IoCs

Processes:

osi.exeextrac32.exe

description	pid	process	target process
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1164 wrote to memory of 1100	1164	osi.exe	extrac32.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe
PID 1100 wrote to memory of 300	1100	extrac32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\osi.exe
"C:\Users\Admin\AppData\Local\Temp\osi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\system32\extrac32.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:300

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:324

C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
"907402218.exe"
4⤵
- Executes dropped EXE
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
3ac29e1fd2da4b6e3b3b4b30ca6e83cf

SHA1
08c76853bb83949e26a2c9d59e6ef244d1cd74f8

SHA256
b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902

SHA512
adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\938250656.dll
MD5
62cdc3a40d41de66201353fca4a24feb

SHA1
46ac41a725f669b0ca0a8fed7f3ccb6c190594f1

SHA256
6eb970a56420a3a3b101661ec5cdda5952cef5887f45a837d4a10db51930935c

SHA512
c046c9035ea542fed3789bc6c92712d4d59f32b7527df9cd53297cb8aab9bfc22a0666b590bbeb955fa2a3858d0d43588b76433796cc4d121bb07298c95dbd6f

Download Submit
memory/300-12-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/300-7-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/300-5-0x0000000000000000-mapping.dmp

Download
memory/300-13-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/324-9-0x0000000000000000-mapping.dmp

Download
memory/1100-0-0x0000000000000000-mapping.dmp

Download
memory/1100-4-0x0000000004860000-0x00000000048FF000-memory.dmp

Filesize
636KB

Download
memory/1100-2-0x0000000004440000-0x00000000044C2000-memory.dmp

Filesize
520KB

Download
memory/1904-1-0x000007FEF6BB0000-0x000007FEF6E2A000-memory.dmp

Filesize
2.5MB

Download
memory/2024-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads