osiris | c0f56f436f51d1a8f72d14e0e1305d589c5ca72b419947c45a4bb4e5fa4e211d

General

Target

4e967e569d83f3bde11a0697196d2db5.exe
Size

3.1MB
MD5

4e967e569d83f3bde11a0697196d2db5
SHA1

603957f4faa70afb3565d9aad3be56207e61f2b0
SHA256

c0f56f436f51d1a8f72d14e0e1305d589c5ca72b419947c45a4bb4e5fa4e211d
SHA512

c209eb89fed697af5672f5de88e453209b3a9911db54160685afdb31d9ccef221afab38edd6bcd7a384bf337d416404eeb56035caf95541576dd42cd714135dc
SSDEEP

49152:+itOd4k7ydepSSPIZDscC+QZKDVdfu31o:+iK4IIZYfZKDVQFo

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

8 2764 cmd.exe
11 2764 cmd.exe
13 2764 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

2960 GetX64BTIT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1372 2764 WerFault.exe cmd.exe

flow	pid	process
8	2764	cmd.exe
11	2764	cmd.exe
13	2764	cmd.exe

pid	process
2960	GetX64BTIT.exe

pid	process
2764	cmd.exe

flow	ioc
12	api.ipify.org
13	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

pid	pid_target	process	target process
1372	2764	WerFault.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4e967e569d83f3bde11a0697196d2db5.exenotepad.execmd.exe

pid	process
2496	4e967e569d83f3bde11a0697196d2db5.exe
2024	notepad.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe
2764	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

2024 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe

pid	process
2024	notepad.exe

pid	process
2764	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e967e569d83f3bde11a0697196d2db5.exenotepad.exe

description	pid	process	target process
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2496 wrote to memory of 2024	2496	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe
PID 2024 wrote to memory of 2764	2024	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4e967e569d83f3bde11a0697196d2db5.exe
"C:\Users\Admin\AppData\Local\Temp\4e967e569d83f3bde11a0697196d2db5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 716
4⤵
- Program crash
PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
faeb8c96d87443d1ba296d4dc9c138cd

SHA1
ec72a5ba353e834bcf5736eea0e9ec037e86bea8

SHA256
f3e08cbe06c7d7173d67daed543dbc627b3041a6cc2c4d3a7929c83ad03eca8a

SHA512
4dd61747cdae8d83de815b4da1438285c838ea34513f26a97d9d8b5db6ddfed288c2d380651c514cea258b904c1eab1b867be7cba075a5fda0b72d0e6508b6e5

Download Submit
memory/2024-8-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2024-9-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/2024-2-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2024-14-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/2496-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2496-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2496-6-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2764-23-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-12-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-13-0x0000000000190000-0x0000000000198000-memory.dmp

Filesize
32KB

Download
memory/2764-21-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-22-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-20-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-11-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-31-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2764-33-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/2764-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2764-18-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing