Overview

overview

10

Static

static

ac2071e4dc...72.dll

windows7_x64

7

ac2071e4dc...72.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll

  • Size

    3.4MB

  • MD5

    1dc00acdb581b52fbc009ffa34997d8e

  • SHA1

    141f592b11ec85b523d5bd56905a54956e20a4b6

  • SHA256

    ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572

  • SHA512

    168f48276a5dd084351340ec34af97c6a6c189ba6f614af2046d31ba12d50cdda71a7f23f2ee1e50030f9d060e5bd5a3fe32e76d87ab7e0313dd237238bb92ab

Score
10/10
osirisbankerbotnet

Malware Config

Signatures

  • Osiris
    bankerbotnetosiris
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\extrac32.exe
        "C:\Windows\system32\extrac32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:4496
        • C:\Users\Admin\AppData\Local\Temp\cmd.exe
          "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
          4⤵
          • Executes dropped EXE
          PID:2388
        • C:\Users\Admin\AppData\Local\Temp\cmd.exe
          "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2708
          • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
            "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
            5⤵
            • Executes dropped EXE
            PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1
T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cmd.exe
    Filesize

    231KB

    MD5

    d0fce3afa6aa1d58ce9fa336cc2b675b

    SHA1

    4048488de6ba4bfef9edf103755519f1f762668f

    SHA256

    4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

    SHA512

    80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cmd.exe
    Filesize

    231KB

    MD5

    d0fce3afa6aa1d58ce9fa336cc2b675b

    SHA1

    4048488de6ba4bfef9edf103755519f1f762668f

    SHA256

    4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

    SHA512

    80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt
    Filesize

    28B

    MD5

    20858d031991fe489673792b6dabdbfd

    SHA1

    c8efad10143389f490efea43a94eb8296a43c15b

    SHA256

    54b4be6dd02b61e0fc436ae94789e93520c0e0ea874dd231f1ef83d372a5675a

    SHA512

    f470cb8257c2f762ecf7cd50cc184a9f675caa614d7927245f9dbbccaa9190535206942ac229cd5a0b79677c73c4b3617d5ea0aaca084e0958f54d047d28b5cf

    Download Submit
  • memory/2388-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2708-143-0x0000000000EA0000-0x0000000000EA7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2708-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2708-144-0x00007FFDFAA70000-0x00007FFDFAC65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2708-149-0x0000000000400000-0x000000000049F000-memory.dmp
    Filesize

    636KB

    Download
  • memory/4496-136-0x00007FFDFAA70000-0x00007FFDFAC65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4496-135-0x0000000004740000-0x00000000047C2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/4496-141-0x0000000004746000-0x0000000004756000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4496-134-0x0000000002C90000-0x0000000002C98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4496-132-0x0000000000000000-mapping.dmp
    Download
  • memory/5032-150-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-130-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-133-0x00000000029D0000-0x00000000029D9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/5060-131-0x0000000002600000-0x0000000002986000-memory.dmp
    Filesize

    3.5MB

    Download