osiris | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

General

Target

gvim.exe
Size

3.6MB
MD5

8e8f7ff797c292231959e4dd410a98da
SHA1

5fba19ae9f76b445d96dbca71f53113492b09d49
SHA256

ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b
SHA512

c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Score

10^/10

osiris banker botnet ransomware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1020 GetX64BTIT.exe

pid	process
1020	GetX64BTIT.exe

Drops startup file 2 IoCs

Processes:

DllHost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe	DllHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe	DllHost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1118 IoCs

Processes:

gvim.exegvim.exe

pid	process
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
984	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe
3960	gvim.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gvim.exe

description pid process

Token: SeSecurityPrivilege 984 gvim.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gvim.exe

pid process

3960 gvim.exe

description	pid	process
Token: SeSecurityPrivilege	984	gvim.exe

pid	process
3960	gvim.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

gvim.exegvim.exe

description	pid	process	target process
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 984 wrote to memory of 3960	984	gvim.exe	gvim.exe
PID 3960 wrote to memory of 1020	3960	gvim.exe	GetX64BTIT.exe
PID 3960 wrote to memory of 1020	3960	gvim.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\gvim.exe
"C:\Users\Admin\AppData\Local\Temp\gvim.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\gvim.exe
"C:\Users\Admin\AppData\Local\Temp\gvim.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
fc4747500995e881074f73823f62574a

SHA1
98228c70d4e935d615807437343e130606479556

SHA256
19cab3c6e2105507f20edf2516ec11a2f6d21418bd138ab898282c1d765a9468

SHA512
76bef01b67687ac7785e14020996f9c6c968b3e5be5007102f356ccf37203bc7c20bf87c509030011b7224996f1d30f41a63fdb7c8a5810ca1d2f5a69ba76e38

Download Submit
memory/984-2-0x0000000002940000-0x00000000029BB000-memory.dmp

Filesize
492KB

Download
memory/984-6-0x00000000041C0000-0x000000000434E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-10-0x0000000000000000-mapping.dmp

Download
memory/3960-3-0x0000000000000000-mapping.dmp

Download
memory/3960-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3960-7-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3960-9-0x00000000025B0000-0x0000000002659000-memory.dmp

Filesize
676KB

Download
memory/3960-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads