osiris | 6ed40b29d8cbea35c1fba43b81b4ced3dd22dedb50871ac1168513826f4332ff

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dcf313c7b9200277a88700ff036b5a3.exe
Size

1.2MB
MD5

1dcf313c7b9200277a88700ff036b5a3
SHA1

2bcf6d85a214e8c5acf6bdf845d51776318e059a
SHA256

6ed40b29d8cbea35c1fba43b81b4ced3dd22dedb50871ac1168513826f4332ff
SHA512

526ab3ad4eef95b92239e5d7d48a0f42fcb04e1b52591bd4cf79e0e51cfc20a24e2918451f6837825b023fe5e4892f7e04b7dfd207cc36b0f54ee61cf1678685
SSDEEP

24576:YaUZCHwO1d1QqbBE2tTBFSZzuKo0gNEPSwDOCzwJSbc7wmersHL:bQqtnLRs6MwJS+7

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 2 IoCs

pid	Process
6120	cmd.exe
5232	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	api.ipify.org
71	api.ipify.org

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemoveMenu	1dcf313c7b9200277a88700ff036b5a3.exe
File created	C:\Windows\Tasks\wms.job	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4968	6120	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	1dcf313c7b9200277a88700ff036b5a3.exe
4916	notepad.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe
6120	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4916	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6120	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95
PID 5088 wrote to memory of 4916	5088	1dcf313c7b9200277a88700ff036b5a3.exe	95

C:\Users\Admin\AppData\Local\Temp\1dcf313c7b9200277a88700ff036b5a3.exe
"C:\Users\Admin\AppData\Local\Temp\1dcf313c7b9200277a88700ff036b5a3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:5232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 1272
      4⤵
      Program crash
      PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6120 -ip 6120
1⤵
PID:5656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
901a90960f8dea9fc3b1faa24743489b

SHA1
2b22b61d097666e30dee0d7b90b37ac36ad45d47

SHA256
eeb00bc75973e55eb2622bd71f4eaf6e5102aa9010e9b8b3ad56dd386fcb336a

SHA512
c25d067b9553db66b59a6ea12909b177377710b698077c4beceb8d4a747b5a384aa3b9dbe12968aae53729963b10d17e760455f3bc059769398d27664f743b65

Download Submit
C:\Windows\RemoveMenu

Filesize
47B

MD5
2728c5c6b49be46d1a8422b03c925024

SHA1
b02363a7bd2795e4a19608a8f26eecf1e7ed48aa

SHA256
aca64ce1afe69e6c7826171991f91d299bdf271eb2af4cfcabacac28a0bcb635

SHA512
af2d88a5ab2ea3dc542d54c469f2ba160852d47082fb833b98c0987b19318ec9ee8ba713acc0e836d2cf3bc7c2de6d56910fffdd8a9b134278491ed62262bc5c

Download Submit
memory/4916-42314-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/4916-42323-0x0000000004980000-0x0000000004A04000-memory.dmp

Filesize
528KB

Download
memory/4916-42308-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/4916-42315-0x0000000004980000-0x0000000004A04000-memory.dmp

Filesize
528KB

Download
memory/5088-42307-0x0000000002890000-0x000000000289A000-memory.dmp

Filesize
40KB

Download
memory/5088-42312-0x0000000002890000-0x000000000289A000-memory.dmp

Filesize
40KB

Download
memory/5088-42310-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/5088-42309-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/5088-0-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/5088-33229-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/6120-42322-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/6120-42327-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42328-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42330-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42329-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42331-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42332-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42321-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42320-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42339-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42340-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/6120-42341-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download