osiris | da767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e

General

Target

c7c0d5c274eadf534eea3203e6c026258144c68e.exe
Size

434KB
MD5

0450cf37e2dd4058563f73f6ca7940e5
SHA1

c7c0d5c274eadf534eea3203e6c026258144c68e
SHA256

da767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e
SHA512

2d48fe05f18934808609d121e2dff8596016406002f221d90154903b09b40d409f805aba51ed8801ae572f20e1005fc104d83ead4b05eeab7ea39c8063a06ef3

Score

10^/10

osiris banker botnet spyware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 2 IoCs

Processes:

GetX64BTIT.exe1621222759.exe

pid process

2464 GetX64BTIT.exe
3292 1621222759.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
11 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1164 4092 WerFault.exe c7c0d5c274eadf534eea3203e6c026258144c68e.exe

pid	process
2464	GetX64BTIT.exe
3292	1621222759.exe

flow	ioc
10	api.ipify.org
11	api.ipify.org

pid	pid_target	process	target process
1164	4092	WerFault.exe	c7c0d5c274eadf534eea3203e6c026258144c68e.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

c7c0d5c274eadf534eea3203e6c026258144c68e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	c7c0d5c274eadf534eea3203e6c026258144c68e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c7c0d5c274eadf534eea3203e6c026258144c68e.exe

pid	process
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe
4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1164 WerFault.exe
Token: SeBackupPrivilege 1164 WerFault.exe
Token: SeDebugPrivilege 1164 WerFault.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c7c0d5c274eadf534eea3203e6c026258144c68e.exe

pid process

4092 c7c0d5c274eadf534eea3203e6c026258144c68e.exe

description	pid	process
Token: SeRestorePrivilege	1164	WerFault.exe
Token: SeBackupPrivilege	1164	WerFault.exe
Token: SeDebugPrivilege	1164	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c7c0d5c274eadf534eea3203e6c026258144c68e.exe

description	pid	process	target process
PID 4092 wrote to memory of 2464	4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe	GetX64BTIT.exe
PID 4092 wrote to memory of 2464	4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe	GetX64BTIT.exe
PID 4092 wrote to memory of 3292	4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe	1621222759.exe
PID 4092 wrote to memory of 3292	4092	c7c0d5c274eadf534eea3203e6c026258144c68e.exe	1621222759.exe

C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe
"C:\Users\Admin\AppData\Local\Temp\c7c0d5c274eadf534eea3203e6c026258144c68e.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
"1621222759.exe"
2⤵
- Executes dropped EXE
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1124
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
a742ab998f10bc57fefced9174d4f4f5

SHA1
7deca2a2f7a5dda43cc429d84ec68d6dc34edcb6

SHA256
3f050f8f9cdde50075e189c6f7a76508f3b9585ec7025974221fe893d4c8ae03

SHA512
415fb9e5e69dd38eb59deba84863671643717d0a12b0a1dc9a1ced38dabf01dff63b0a4ef4d3ab20305bc865deb73c174fde61616513328fbb41b401e8742ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BD5DEEE-4B67-4997-9BE5-608480F9EE8B}\1621222759.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
memory/1164-9-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2464-2-0x0000000000000000-mapping.dmp

Download
memory/3292-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads