osiris | c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689

General

Target

cc629e5d6fabb0da8f46ecb5d667113d.exe
Size

3.1MB
MD5

cc629e5d6fabb0da8f46ecb5d667113d
SHA1

ce1084782c077756fb43a1056cfcfdd80182f54e
SHA256

c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689
SHA512

c54ca9ed01b007fc4abc0d72c77253ac2d8802882841a43226764b1fd46e4a1873158d04b396c3b82381fa806abc27cfb6b7778668c656afa53afc6d7c539a4a
SSDEEP

49152:jitOd4k7ydepSSPIZDscC+QZKDVdfu315:jiK4IIZYfZKDVQF5

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Blocklisted process makes network request 7 IoCs

Processes:

cmd.exe

flow pid process

8 2780 cmd.exe
10 2780 cmd.exe
11 2780 cmd.exe
12 2780 cmd.exe
14 2780 cmd.exe
15 2780 cmd.exe
16 2780 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

1520 GetX64BTIT.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2780 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

flow	pid	process
8	2780	cmd.exe
10	2780	cmd.exe
11	2780	cmd.exe
12	2780	cmd.exe
14	2780	cmd.exe
15	2780	cmd.exe
16	2780	cmd.exe

pid	process
1520	GetX64BTIT.exe

pid	process
2780	cmd.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exenotepad.execmd.exe

pid	process
2804	cc629e5d6fabb0da8f46ecb5d667113d.exe
2240	notepad.exe
2240	notepad.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe
2780	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

notepad.exe

pid process

2240 notepad.exe
2240 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

2780 cmd.exe

pid	process
2240	notepad.exe
2240	notepad.exe

pid	process
2780	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exenotepad.exe

description	pid	process	target process
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2804 wrote to memory of 2240	2804	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2192	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe
PID 2240 wrote to memory of 2780	2240	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe
"C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
eb9faa37247a895096d5587effc924ad

SHA1
3347a9617ee6ae066e719f99503ca3e6c05ca021

SHA256
cee29eb86cadae993516079be3a72e568f43acd139b11e400f0bc34c70cebe8a

SHA512
7e366a0330627b83812c42ff726cafaf5c8488be203c1c754df73402a6c3e46ab49f47785623bcc570b41b757347f21e94895071a4fae095d46c115c8099ca9f

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/2240-8-0x0000000004560000-0x00000000045E4000-memory.dmp

Filesize
528KB

Download
memory/2240-2-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2240-20-0x0000000004560000-0x00000000045E4000-memory.dmp

Filesize
528KB

Download
memory/2240-9-0x00000000773B0000-0x0000000077559000-memory.dmp

Filesize
1.7MB

Download
memory/2240-7-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/2780-24-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-12-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-14-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2780-15-0x00000000773B0000-0x0000000077559000-memory.dmp

Filesize
1.7MB

Download
memory/2780-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2780-39-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2780-37-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2780-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2804-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/2804-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2804-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-6-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing