osiris | c0f56f436f51d1a8f72d14e0e1305d589c5ca72b419947c45a4bb4e5fa4e211d

General

Target

4e967e569d83f3bde11a0697196d2db5.exe
Size

3.1MB
MD5

4e967e569d83f3bde11a0697196d2db5
SHA1

603957f4faa70afb3565d9aad3be56207e61f2b0
SHA256

c0f56f436f51d1a8f72d14e0e1305d589c5ca72b419947c45a4bb4e5fa4e211d
SHA512

c209eb89fed697af5672f5de88e453209b3a9911db54160685afdb31d9ccef221afab38edd6bcd7a384bf337d416404eeb56035caf95541576dd42cd714135dc
SSDEEP

49152:+itOd4k7ydepSSPIZDscC+QZKDVdfu31o:+iK4IIZYfZKDVQFo

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

9 1152 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

3064 GetX64BTIT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1152 cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

flow	pid	process
9	1152	cmd.exe

pid	process
3064	GetX64BTIT.exe

pid	process
1152	cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4e967e569d83f3bde11a0697196d2db5.exenotepad.execmd.exe

pid	process
2640	4e967e569d83f3bde11a0697196d2db5.exe
2168	notepad.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe
1152	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

notepad.exe

pid process

2168 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1152 cmd.exe

pid	process
2168	notepad.exe

pid	process
1152	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e967e569d83f3bde11a0697196d2db5.exenotepad.exe

description	pid	process	target process
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2640 wrote to memory of 2168	2640	4e967e569d83f3bde11a0697196d2db5.exe	notepad.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe
PID 2168 wrote to memory of 1152	2168	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4e967e569d83f3bde11a0697196d2db5.exe
"C:\Users\Admin\AppData\Local\Temp\4e967e569d83f3bde11a0697196d2db5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
4⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
1eed673584ff08811d12f2ead06bce45

SHA1
c5829fdb860fbde0990727d78c992d91c2eefa1c

SHA256
03e22bc30ed734dc232785219f8cab9dad33d9d7b98ab8fe8078b968bbc20a85

SHA512
ade491a8695ee086397650d8eb12b2de62141e015aa8fee274535819349a4855f228670e93154508ab8018c5d141ac0e53cf3caa00e89afa0fb02803e2a5d275

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/1152-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-15-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-19-0x0000000076EE0000-0x0000000077089000-memory.dmp

Filesize
1.7MB

Download
memory/1152-41-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1152-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-43-0x0000000000390000-0x00000000003AF000-memory.dmp

Filesize
124KB

Download
memory/1152-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-16-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-18-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1152-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1152-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2168-12-0x00000000045E0000-0x0000000004664000-memory.dmp

Filesize
528KB

Download
memory/2168-2-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2168-13-0x0000000076EE0000-0x0000000077089000-memory.dmp

Filesize
1.7MB

Download
memory/2168-11-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2168-24-0x00000000045E0000-0x0000000004664000-memory.dmp

Filesize
528KB

Download
memory/2640-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/2640-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2640-6-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/2640-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing