osiris | 5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90

General

Target

kr.exe
Size

786KB
MD5

899dc9cc6e7516536bf5e816e8cecf55
SHA1

6c07fc00ed2202798194749aa8037bb0ad38bb00
SHA256

5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
SHA512

445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

112 GetX64BTIT.exe
Drops startup file 1 IoCs

Processes:

kr.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe
Loads dropped DLL 1 IoCs

Processes:

kr.exe

pid process

1672 kr.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
112	GetX64BTIT.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk	kr.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kr.exe

pid	process
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe
1672	kr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

kr.exe

pid process

1672 kr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

kr.exe

description	pid	process	target process
PID 1672 wrote to memory of 112	1672	kr.exe	GetX64BTIT.exe
PID 1672 wrote to memory of 112	1672	kr.exe	GetX64BTIT.exe
PID 1672 wrote to memory of 112	1672	kr.exe	GetX64BTIT.exe
PID 1672 wrote to memory of 112	1672	kr.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\kr.exe
"C:\Users\Admin\AppData\Local\Temp\kr.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
57d24b003b499889c23f451ba1c77567

SHA1
90b27ac364d19c19193aad78b86a087959e34b57

SHA256
d875daac488dee83c252ffd57572a7e9e9ef4c752b802f3d781c209eb810435f

SHA512
ee76d44bd76d5946af704cd84d029e84c40b7262c4d9aeef157a6e7272ed341de2bf081fb923bc2b335432ed53980ccdd837a94b6a570511873e65fc78d79181

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/112-60-0x0000000000000000-mapping.dmp

Download
memory/1672-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000A10000-0x0000000000ADA000-memory.dmp

Filesize
808KB

Download
memory/1672-58-0x0000000002700000-0x000000000334A000-memory.dmp

Filesize
12.3MB

Download
memory/1672-57-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/1672-63-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1672-64-0x0000000000230000-0x000000000024F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing