osiris | ef8ba7d931f440b4c611a539349cdef819f9d0def97dbfbdb694209d09cef511

General

Target

doeihdsjfnajdfuewrywuefhsdkjaf.exe
Size

1.7MB
MD5

4db5926d31dff252464855326a137e2f
SHA1

9cb531b8962467f54264da21426d23445a935ce4
SHA256

ef8ba7d931f440b4c611a539349cdef819f9d0def97dbfbdb694209d09cef511
SHA512

71bda130ffb78a6bd1615984e599006bf6d8f1c5e182dffcb60a4e6a3ba162f6067c7de702f8e275fd9436ef18ab27b686ce75f254d1f40d3c560e7d3f6dc5c2

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4000 GetX64BTIT.exe

pid	process
4000	GetX64BTIT.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	doeihdsjfnajdfuewrywuefhsdkjaf.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Suspicious use of SetThreadContext 1 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exe

description pid process target process

PID 2256 set thread context of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

740 2256 WerFault.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe

flow	ioc
18	api.ipify.org
19	api.ipify.org

description	pid	process	target process
PID 2256 set thread context of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe

pid	pid_target	process	target process
740	2256	WerFault.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe

Modifies registry class 6 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ = "Microsoft Windows Installer Message RPC"	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\DllVersion	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\DllVersion\ = "5.0.15063"	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgId	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgId\ = "WindowsInstaller.Message"	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}	doeihdsjfnajdfuewrywuefhsdkjaf.exe

NTFS ADS 2 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exe

description	ioc	process
File created	C:\ProgramData\TEMP:AC6CA6CF	doeihdsjfnajdfuewrywuefhsdkjaf.exe
File opened for modification	C:\ProgramData\TEMP:AC6CA6CF	doeihdsjfnajdfuewrywuefhsdkjaf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exeWerFault.exe

pid	process
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe
3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exeWerFault.exe

description	pid	process
Token: 33	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Token: SeIncBasePriorityPrivilege	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe
Token: SeRestorePrivilege	740	WerFault.exe
Token: SeBackupPrivilege	740	WerFault.exe
Token: SeDebugPrivilege	740	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exe

pid process

3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

doeihdsjfnajdfuewrywuefhsdkjaf.exedoeihdsjfnajdfuewrywuefhsdkjaf.exe

description	pid	process	target process
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 2256 wrote to memory of 3616	2256	doeihdsjfnajdfuewrywuefhsdkjaf.exe	doeihdsjfnajdfuewrywuefhsdkjaf.exe
PID 3616 wrote to memory of 4000	3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe	GetX64BTIT.exe
PID 3616 wrote to memory of 4000	3616	doeihdsjfnajdfuewrywuefhsdkjaf.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe
"C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe
"C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1000
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
3c73d9862f52d0bfd87b1b5585b9d364

SHA1
1f54165fcc1bee95a4cbac69ffe5d57164cbd705

SHA256
7c2fee000ab933db614e0b9cceb657a5eef44068ea2f6626a087fdb19493e101

SHA512
88089adc50aaecb3ae9e33c27814fb5316da82eca5a810f5258646a42d6be29a0651891e061a789ac737fed4b21521b4d04d2803a6495b1c6bcd98f4dea34355

Download Submit
memory/2256-118-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3616-120-0x0000000000401698-mapping.dmp

Download
memory/3616-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3616-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3616-125-0x00000000006B0000-0x000000000074F000-memory.dmp

Filesize
636KB

Download
memory/4000-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads