osiris | 73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74

General

Target

Vidoe001mp4.scr signed FAT11 d.o.o.exe
Size

1.2MB
MD5

0d0c318096299a617f70ea57559c4f55
SHA1

8199b12cc24d416cb8835b5e3d00b92339ad9b45
SHA256

73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74
SHA512

b6cfc8df9556683cf4cbef46aa208081853d4132cee94fbcd0a6d9ee2ded5d6dd5987578093eae98c595776b51104613c5bc2e6e42bb543c2c59c2eafa012751

Score

10^/10

spyware banker botnet osiris

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 3 IoCs

Processes:

cmd.exeGetX64BTIT.exe1087323869.exe

pid process

2000 cmd.exe
1116 GetX64BTIT.exe
1504 1087323869.exe
Loads dropped DLL 4 IoCs

Processes:

ipconfig.execmd.exe

pid process

1748 ipconfig.exe
2000 cmd.exe
2000 cmd.exe
2000 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\reg.job cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1748 ipconfig.exe

pid	process
2000	cmd.exe
1116	GetX64BTIT.exe
1504	1087323869.exe

pid	process
1748	ipconfig.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe

flow	ioc
12	api.ipify.org
13	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\reg.job	cmd.exe

pid	process
1748	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 1885 IoCs

Processes:

Vidoe001mp4.scr signed FAT11 d.o.o.exeipconfig.execmd.exe

pid	process
844	Vidoe001mp4.scr signed FAT11 d.o.o.exe
1748	ipconfig.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe
2000	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipconfig.exe

pid process

1748 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2000 cmd.exe

pid	process
1748	ipconfig.exe

pid	process
2000	cmd.exe

Suspicious use of WriteProcessMemory 89 IoCs

Processes:

Vidoe001mp4.scr signed FAT11 d.o.o.exeipconfig.exe

description	pid	process	target process
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 844 wrote to memory of 1748	844	Vidoe001mp4.scr signed FAT11 d.o.o.exe	ipconfig.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe
PID 1748 wrote to memory of 2000	1748	ipconfig.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Vidoe001mp4.scr signed FAT11 d.o.o.exe
"C:\Users\Admin\AppData\Local\Temp\Vidoe001mp4.scr signed FAT11 d.o.o.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
2⤵
- Loads dropped DLL
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\{ADE3399C-A26D-40B6-B9AA-F8110B60B8EC}\1087323869.exe
"1087323869.exe"
4⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
0f4d79e8fa4200c758940cb850a4305f

SHA1
124b16530649b0217a12cc24af58405aaf04fbdc

SHA256
fb0261ecaff75a80438f22c583e1c54256eaf7d7d20b5e6fa235ff176a165815

SHA512
ec31b30b5904c28f26f447d0f385b36da4747d56585227550812e60ec6b19c0649541398e4743928ee99abaa007f5a4dff8f825693c2beebcd83bdc368dee9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADE3399C-A26D-40B6-B9AA-F8110B60B8EC}\1087323869.exe

MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
\Users\Admin\AppData\Local\Temp\{ADE3399C-A26D-40B6-B9AA-F8110B60B8EC}\1087323869.exe

MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
\Users\Admin\AppData\Local\Temp\{ADE3399C-A26D-40B6-B9AA-F8110B60B8EC}\78981763.dll

MD5
62cdc3a40d41de66201353fca4a24feb

SHA1
46ac41a725f669b0ca0a8fed7f3ccb6c190594f1

SHA256
6eb970a56420a3a3b101661ec5cdda5952cef5887f45a837d4a10db51930935c

SHA512
c046c9035ea542fed3789bc6c92712d4d59f32b7527df9cd53297cb8aab9bfc22a0666b590bbeb955fa2a3858d0d43588b76433796cc4d121bb07298c95dbd6f

Download Submit
memory/1116-9-0x0000000000000000-mapping.dmp

Download
memory/1504-17-0x0000000000000000-mapping.dmp

Download
memory/1556-1-0x000007FEF87B0000-0x000007FEF8A2A000-memory.dmp

Filesize
2.5MB

Download
memory/1748-4-0x00000000046E0000-0x000000000477F000-memory.dmp

Filesize
636KB

Download
memory/1748-0-0x0000000000000000-mapping.dmp

Download
memory/1748-2-0x00000000042C0000-0x0000000004342000-memory.dmp

Filesize
520KB

Download
memory/2000-12-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2000-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2000-7-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2000-5-0x0000000000000000-mapping.dmp

Download
memory/2000-16-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads