osiris | 0d693ddf07367bfa97336e477fb86ed96ea42d42a506dd4488c110e8cf6d94cc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
Size

608KB
MD5

349d95db210e29908ae9207179cff53f
SHA1

c6148e205bdb6ab326929243140294330256d78b
SHA256

7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553
SHA512

29ccd04494919074763ca0a68d5b6506582a039a39aeab5c71ccd8bcb548373296750c2f3b82a53caf857c26161def71223e7da8f842bce9868c5aa3e8825687
SSDEEP

12288:vrP4Xm1kb+26DFVYez7HvmZqq5Igis0jlTOrDFBv0m0LSl9:vL4Xm1CR6hVPz7Hv4v10YrDFlJVT

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Synchronizer.exe	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Executes dropped EXE 1 IoCs

pid	Process
4128	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.ipify.org
39	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4128	3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	89
PID 3576 wrote to memory of 4128	3576	7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe	89

C:\Users\Admin\AppData\Local\Temp\7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe
"C:\Users\Admin\AppData\Local\Temp\7899f735e7bfd0a60de5660caef1016eba0064c3749cd0a95ed21dfc78c3e553.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
a9ec4bbc117f06fd6d1fa6e00aee3f32

SHA1
f458b553b1cc7fe4654f081bb4bad4af79cf902c

SHA256
bc19e45899eb034e7a9297a21accb65b50d3222b99869cf53e74fac7fee1b629

SHA512
1f81f84a150356ca2f386eb4ee74d142ddbe4b1f907eca575f38f4ba8e7421e4a2e167a2c0fcfd80bdad6b3ccc680f6c04afada631309fd48396f3159c4177fe

Download Submit
memory/3576-6-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-18-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3576-5-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3576-7-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-8-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-10-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-3-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3576-16-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-17-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-4-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-19-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-20-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-22-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-23-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-24-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-26-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-27-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-28-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download
memory/3576-30-0x0000000002C10000-0x0000000002CAF000-memory.dmp

Filesize
636KB

Download