osiris | 12dc9ca2e6b5e7c547ebd3814953c4e2aa0d1eb726877151b09494ab6a0c07bd

General

Target

07de8d93ec7190afee1eb569dce09bae.exe
Size

3.1MB
MD5

07de8d93ec7190afee1eb569dce09bae
SHA1

ef0b072fcf7f00184471589a6e4a0d3bd09b9553
SHA256

12dc9ca2e6b5e7c547ebd3814953c4e2aa0d1eb726877151b09494ab6a0c07bd
SHA512

a8d226bd9c8c0a8d6f856a9ef5ef8d235ca1e1c67c250d0f0bd043ae400f61b3dd7f1032c3278178d783edec343ba5a3870f1b753079f0d16a7955cdb57670ac
SSDEEP

49152:nitOd4k7ydepSSPIZDscC+QZKDVdfu31W:niK4IIZYfZKDVQFW

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Blocklisted process makes network request 9 IoCs

Processes:

cmd.exe

flow pid process

10 2544 cmd.exe
12 2544 cmd.exe
13 2544 cmd.exe
14 2544 cmd.exe
16 2544 cmd.exe
18 2544 cmd.exe
20 2544 cmd.exe
21 2544 cmd.exe
22 2544 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1752 GetX64BTIT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2544 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

flow	pid	process
10	2544	cmd.exe
12	2544	cmd.exe
13	2544	cmd.exe
14	2544	cmd.exe
16	2544	cmd.exe
18	2544	cmd.exe
20	2544	cmd.exe
21	2544	cmd.exe
22	2544	cmd.exe

pid	process
1752	GetX64BTIT.exe

pid	process
2544	cmd.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

07de8d93ec7190afee1eb569dce09bae.exenotepad.execmd.exe

pid	process
2184	07de8d93ec7190afee1eb569dce09bae.exe
3036	notepad.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

3036 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2544 cmd.exe

pid	process
3036	notepad.exe

pid	process
2544	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

07de8d93ec7190afee1eb569dce09bae.exenotepad.exe

description	pid	process	target process
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 2184 wrote to memory of 3036	2184	07de8d93ec7190afee1eb569dce09bae.exe	notepad.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe
PID 3036 wrote to memory of 2544	3036	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\07de8d93ec7190afee1eb569dce09bae.exe
"C:\Users\Admin\AppData\Local\Temp\07de8d93ec7190afee1eb569dce09bae.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
7ad4dc61b8b3dfcebe9741190b3fd4fa

SHA1
3840b22d40a1ee95fc61aadff831cb30c1b80df4

SHA256
8967fa5b04d149697539716db8ba0268bb3f0e6eac924b4c3398a5767fe61a92

SHA512
fa7dbfb0372123a04a4255fc0401bede663fa7a5ca3b72c165983b91c7b579973e1be46db3a18e3d6c72ca869c305fb749bd1550996f9d85474a4739bd9efb3e

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/2184-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2184-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2184-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2544-24-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-39-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2544-12-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-14-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2544-15-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/2544-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-37-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2544-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3036-10-0x0000000076E70000-0x0000000077019000-memory.dmp

Filesize
1.7MB

Download
memory/3036-2-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/3036-8-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/3036-9-0x00000000045E0000-0x0000000004664000-memory.dmp

Filesize
528KB

Download
memory/3036-20-0x00000000045E0000-0x0000000004664000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing