osiris | 4807f8fce08612cc316476fe34aa497188810fc10102c6c07bf18142655eb252

General

Target

Secure_Viewer.exe_.exe
Size

1.4MB
MD5

0c09489446c609ba6893455661948ac7
SHA1

46e09d46a00ea8f151b661db6332c83695b1cf90
SHA256

4807f8fce08612cc316476fe34aa497188810fc10102c6c07bf18142655eb252
SHA512

07f3211408bb75cb25bad4042e3246320b38cd1d30d77635c38f12687bd90ca5b2f8241883aae0a956a606186b3ec0945dd4ad36c3944c1126aae98f2402ae06

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 2 IoCs

Processes:

cmd.exeGetX64BTIT.exe

pid process

1936 cmd.exe
1248 GetX64BTIT.exe
Loads dropped DLL 2 IoCs

Processes:

notepad.execmd.exe

pid process

2016 notepad.exe
1936 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\Secure_Viewer.exe_.job cmd.exe

pid	process
1936	cmd.exe
1248	GetX64BTIT.exe

pid	process
2016	notepad.exe
1936	cmd.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\Secure_Viewer.exe_.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Secure_Viewer.exe_.exenotepad.execmd.exe

pid	process
1044	Secure_Viewer.exe_.exe
2016	notepad.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

2016 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1936 cmd.exe

pid	process
2016	notepad.exe

pid	process
1936	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Secure_Viewer.exe_.exenotepad.exe

description	pid	process	target process
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 1044 wrote to memory of 2016	1044	Secure_Viewer.exe_.exe	notepad.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe
PID 2016 wrote to memory of 1936	2016	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
8e02df4b54e4444e9812ead4fabe7a28

SHA1
a7715b3098c2fa02adaced93a613963c39bb1d5d

SHA256
d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b

SHA512
2b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
memory/1044-5-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/1044-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1248-15-0x0000000000000000-mapping.dmp

Download
memory/1936-9-0x0000000000000000-mapping.dmp

Download
memory/1936-12-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1936-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2016-7-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2016-6-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2016-4-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/2016-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing