osiris | 0d693ddf07367bfa97336e477fb86ed96ea42d42a506dd4488c110e8cf6d94cc

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
Size

608KB
MD5

349d95db210e29908ae9207179cff53f
SHA1

c6148e205bdb6ab326929243140294330256d78b
SHA256

7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553
SHA512

29ccd04494919074763ca0a68d5b6506582a039a39aeab5c71ccd8bcb548373296750c2f3b82a53caf857c26161def71223e7da8f842bce9868c5aa3e8825687
SSDEEP

12288:vrP4Xm1kb+26DFVYez7HvmZqq5Igis0jlTOrDFBv0m0LSl9:vL4Xm1CR6hVPz7Hv4v10YrDFlJVT

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Synchronizer.exe	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	GetX64BTIT.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2572	2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	28
PID 2224 wrote to memory of 2572	2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	28
PID 2224 wrote to memory of 2572	2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	28
PID 2224 wrote to memory of 2572	2224	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	28

C:\Users\Admin\AppData\Local\Temp\7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
"C:\Users\Admin\AppData\Local\Temp\7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
4c6cb24257bf1e200e01f9de2db8e4b8

SHA1
e00e25812ccba5ad95313cec6624e6faf9459edb

SHA256
438017fbe38489e376e9f9986492aa82279d52c7fddcf00c65ae98b739bda4f4

SHA512
a743b2153853aa8f22f40ebaaee1604bea4a76564c674612dc3e33f2e7dd88bd0a0de02ca034185d4e10e003403ca8698c98d6e4d0cd67474f0d9f231f31f8bf

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/2224-16-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2224-5-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-6-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-9-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-7-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-3-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-15-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2224-4-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-19-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2224-21-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/2224-23-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-24-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-25-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2224-27-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-29-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-31-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-32-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download
memory/2224-33-0x0000000002510000-0x00000000025AF000-memory.dmp

Filesize
636KB

Download