osiris | 5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90

Resubmissions

03-01-2022 15:51

220103-tagh5sbdh2 10

Analysis

max time kernel
152s
max time network
145s
platform
windows10_x64
resource
win10-en-20211208
submitted
03-01-2022 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kr.exe
Size

786KB
MD5

899dc9cc6e7516536bf5e816e8cecf55
SHA1

6c07fc00ed2202798194749aa8037bb0ad38bb00
SHA256

5f84ad4413ad6dcdea0cb3aa206cc4df29e1bad9d9598912c323c931d568ac90
SHA512

445016f0e37ee3ecec319b73713d083711608c044f855e16268f89c88d460e95d85b79d375534ac6b7a4a0e869c49470d49b7e325ff0507c550107d593ae688c

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1476 GetX64BTIT.exe
Drops startup file 1 IoCs

Processes:

kr.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk kr.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1476	GetX64BTIT.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk	kr.exe

flow	ioc
23	api.ipify.org
24	api.ipify.org

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kr.exe

pid	process
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe
3116	kr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

kr.exe

pid process

3116 kr.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

kr.exe

description pid process target process

PID 3116 wrote to memory of 1476 3116 kr.exe GetX64BTIT.exe
PID 3116 wrote to memory of 1476 3116 kr.exe GetX64BTIT.exe

description	pid	process	target process
PID 3116 wrote to memory of 1476	3116	kr.exe	GetX64BTIT.exe
PID 3116 wrote to memory of 1476	3116	kr.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\kr.exe
"C:\Users\Admin\AppData\Local\Temp\kr.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
MD5
fa1b6f3c3c15af0d9d955a6499c16066

SHA1
0814709ac8ed192ca1de6c4047791310c732002d

SHA256
99f7dbecfd817b9213ff87337630c22ea3b8f0bd8b5cd573d565f60e88423e14

SHA512
14a6a8726133747c6b42b5c89117da963c8827c836b17214413679de34cff050e3cbc1c314114ce9182756aadf684b37b32754d334c2ec2cc7fd5edb8eaf5c25

Download Submit
memory/1476-118-0x0000000000000000-mapping.dmp

Download
memory/3116-115-0x00000000008B0000-0x000000000097A000-memory.dmp

Filesize
808KB

Download
memory/3116-116-0x00000000034A0000-0x00000000034E1000-memory.dmp

Filesize
260KB

Download
memory/3116-117-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download