osiris | 1a62aee18b370678c1f2548f9df718ed7d1116be318069f322fa938722f0b15c

General

Target

asdkqw9uekmkvncmniudsheq.exe
Size

1.7MB
MD5

0bd58bdac43ab10d35d40120cd120fe0
SHA1

d27a84dd4541bdd6a1fe8d6b2efb653249e01d93
SHA256

1a62aee18b370678c1f2548f9df718ed7d1116be318069f322fa938722f0b15c
SHA512

d0166b8da20a73df38b91b0a11e661bd83550a2a462da1ae3f2d929a4cd39afa093b32eb20a1b4ef835ad3a66eeca382a3128bc6c0915834f3c4917e36691657

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

2348 GetX64BTIT.exe

pid	process
2348	GetX64BTIT.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

asdkqw9uekmkvncmniudsheq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	asdkqw9uekmkvncmniudsheq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	asdkqw9uekmkvncmniudsheq.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
21 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Suspicious use of SetThreadContext 1 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exe

description pid process target process

PID 2116 set thread context of 3424 2116 asdkqw9uekmkvncmniudsheq.exe asdkqw9uekmkvncmniudsheq.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3976 2116 WerFault.exe asdkqw9uekmkvncmniudsheq.exe

flow	ioc
20	api.ipify.org
21	api.ipify.org

description	pid	process	target process
PID 2116 set thread context of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe

pid	pid_target	process	target process
3976	2116	WerFault.exe	asdkqw9uekmkvncmniudsheq.exe

Modifies registry class 14 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ = "Bitmap Image"	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\MiscStatus	asdkqw9uekmkvncmniudsheq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgID\ = "PBrush"	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Conversion	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Ole1Class	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Conversion\Readable	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgID	asdkqw9uekmkvncmniudsheq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\TreatAs\ = "{D3E34B21-9D75-101A-8C3D-00AA001A1652}"	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Conversion\Readable\Main	asdkqw9uekmkvncmniudsheq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Conversion\Readable\Main\ = "8"	asdkqw9uekmkvncmniudsheq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\MiscStatus\ = "512"	asdkqw9uekmkvncmniudsheq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\Ole1Class\ = "PBrush"	asdkqw9uekmkvncmniudsheq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\TreatAs	asdkqw9uekmkvncmniudsheq.exe

NTFS ADS 2 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exe

description	ioc	process
File created	C:\ProgramData\TEMP:AC6CA6CF	asdkqw9uekmkvncmniudsheq.exe
File opened for modification	C:\ProgramData\TEMP:AC6CA6CF	asdkqw9uekmkvncmniudsheq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exeWerFault.exe

pid	process
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3976	WerFault.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe
3424	asdkqw9uekmkvncmniudsheq.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exeWerFault.exe

description	pid	process
Token: 33	2116	asdkqw9uekmkvncmniudsheq.exe
Token: SeIncBasePriorityPrivilege	2116	asdkqw9uekmkvncmniudsheq.exe
Token: SeRestorePrivilege	3976	WerFault.exe
Token: SeBackupPrivilege	3976	WerFault.exe
Token: SeDebugPrivilege	3976	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exe

pid process

3424 asdkqw9uekmkvncmniudsheq.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

asdkqw9uekmkvncmniudsheq.exeasdkqw9uekmkvncmniudsheq.exe

description	pid	process	target process
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 2116 wrote to memory of 3424	2116	asdkqw9uekmkvncmniudsheq.exe	asdkqw9uekmkvncmniudsheq.exe
PID 3424 wrote to memory of 2348	3424	asdkqw9uekmkvncmniudsheq.exe	GetX64BTIT.exe
PID 3424 wrote to memory of 2348	3424	asdkqw9uekmkvncmniudsheq.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\asdkqw9uekmkvncmniudsheq.exe
"C:\Users\Admin\AppData\Local\Temp\asdkqw9uekmkvncmniudsheq.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\asdkqw9uekmkvncmniudsheq.exe
"C:\Users\Admin\AppData\Local\Temp\asdkqw9uekmkvncmniudsheq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 900
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
7d64442a03a2e9f258748a012ad23e2a

SHA1
6714195b3718c09842d7063c6bd126bc11c51dd1

SHA256
b1a445660b1f62c0e0ad902ea2a8b22eee874cc6e37e8d919d481b64ba0e14a3

SHA512
d7c18f59e389a80a63331697c44f5d07a42c9f4dd2cb2fd160276bc32da24d259d1ed088c41f47651a9ba2133a6d28c5a1e05af7ed042c64eb070f5779ab0b5d

Download Submit
memory/2116-118-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2348-123-0x0000000000000000-mapping.dmp

Download
memory/3424-120-0x0000000000401698-mapping.dmp

Download
memory/3424-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3424-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3424-122-0x00000000006A0000-0x000000000073F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads