osiris | 6ebeb06cb2d2beddb16bfd2a4e689ac133b34e734954b694edf0aa2c3ea25ae6

General

Target

1ef652cf753aac92977c2cfea7fe08c4.exe
Size

3.1MB
MD5

1ef652cf753aac92977c2cfea7fe08c4
SHA1

2c4b9cb5ae6f174c97626c02a4a122e48c43dee2
SHA256

6ebeb06cb2d2beddb16bfd2a4e689ac133b34e734954b694edf0aa2c3ea25ae6
SHA512

3ea9fdbaaf006ffe69b126e92398a779e1887865a8b555f0e39fb31c0ea8edd9d265d79318f3e2ad314dabcab46c4855688472a016c30aafb9aa02ef56870126
SSDEEP

49152:0itOd4k7ydepSSPIZDscC+QZKDVdfu31h:0iK4IIZYfZKDVQFh

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Blocklisted process makes network request 11 IoCs

Processes:

cmd.exe

flow	pid	process
14	2444	cmd.exe
16	2444	cmd.exe
17	2444	cmd.exe
18	2444	cmd.exe
20	2444	cmd.exe
22	2444	cmd.exe
24	2444	cmd.exe
25	2444	cmd.exe
26	2444	cmd.exe
27	2444	cmd.exe
28	2444	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1320 GetX64BTIT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2444 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
16 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

pid	process
1320	GetX64BTIT.exe

pid	process
2444	cmd.exe

flow	ioc
15	api.ipify.org
16	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ef652cf753aac92977c2cfea7fe08c4.exenotepad.execmd.exe

pid	process
2940	1ef652cf753aac92977c2cfea7fe08c4.exe
1888	notepad.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe
2444	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

1888 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2444 cmd.exe

pid	process
1888	notepad.exe

pid	process
2444	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ef652cf753aac92977c2cfea7fe08c4.exenotepad.exe

description	pid	process	target process
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 2940 wrote to memory of 1888	2940	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe
PID 1888 wrote to memory of 2444	1888	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe
"C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
ebc99b8fff3a6ff144ca58f73d2b9d7b

SHA1
9f2e6623fd0074cd3f9dbb59d184d32098d83133

SHA256
a29526f00c9f0de050c7003624ddc94e1dd0419f16c99b328d67f073352ac535

SHA512
9acc3b34348403ec74f2bb234f6f4853e771815fd517a573a6c6dcb9c73083d385fa16970e3953ee0b366716dbd012442cf1399d3064e0c5c2928dde72e7a198

Download Submit
memory/1888-8-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/1888-2-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1888-14-0x0000000004580000-0x0000000004604000-memory.dmp

Filesize
528KB

Download
memory/1888-9-0x0000000004580000-0x0000000004604000-memory.dmp

Filesize
528KB

Download
memory/2444-20-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-22-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-10-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-11-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-12-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2444-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-18-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-40-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-21-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-23-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-38-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-33-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2444-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2444-31-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2940-1-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2940-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2940-6-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2940-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads