osiris | c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689

General

Target

cc629e5d6fabb0da8f46ecb5d667113d.exe
Size

3.1MB
MD5

cc629e5d6fabb0da8f46ecb5d667113d
SHA1

ce1084782c077756fb43a1056cfcfdd80182f54e
SHA256

c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689
SHA512

c54ca9ed01b007fc4abc0d72c77253ac2d8802882841a43226764b1fd46e4a1873158d04b396c3b82381fa806abc27cfb6b7778668c656afa53afc6d7c539a4a
SSDEEP

49152:jitOd4k7ydepSSPIZDscC+QZKDVdfu315:jiK4IIZYfZKDVQF5

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Blocklisted process makes network request 21 IoCs

Processes:

cmd.exe

flow	pid	process
68	4420	cmd.exe
79	4420	cmd.exe
80	4420	cmd.exe
81	4420	cmd.exe
84	4420	cmd.exe
87	4420	cmd.exe
88	4420	cmd.exe
90	4420	cmd.exe
92	4420	cmd.exe
94	4420	cmd.exe
98	4420	cmd.exe
100	4420	cmd.exe
101	4420	cmd.exe
102	4420	cmd.exe
103	4420	cmd.exe
110	4420	cmd.exe
111	4420	cmd.exe
116	4420	cmd.exe
117	4420	cmd.exe
118	4420	cmd.exe
120	4420	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4564 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

79 api.ipify.org
78 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

pid	process
4564	GetX64BTIT.exe

flow	ioc
79	api.ipify.org
78	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exenotepad.execmd.exe

pid	process
2496	cc629e5d6fabb0da8f46ecb5d667113d.exe
2496	cc629e5d6fabb0da8f46ecb5d667113d.exe
1968	notepad.exe
1968	notepad.exe
1968	notepad.exe
1968	notepad.exe
1968	notepad.exe
1968	notepad.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe
4420	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

notepad.exe

pid process

1968 notepad.exe
1968 notepad.exe
1968 notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

4420 cmd.exe

pid	process
1968	notepad.exe
1968	notepad.exe
1968	notepad.exe

pid	process
4420	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exe

description	pid	process	target process
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 2496 wrote to memory of 1968	2496	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe83262e98,0x7ffe83262ea4,0x7ffe83262eb0
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2896 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5284 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5480 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5116

C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe
"C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
8398cd56be73c906213fdaa40ba69e19

SHA1
c5f8c6c467388ac08f98d042c3907dfb3d01e450

SHA256
4bacdf68ac91907628cb476f58ffa067043aa435f94a9aeec49d32e19d2e649f

SHA512
e3700af0b2b2f36e9991d7921b821b267b1c95e9d93c8ba32a9eca3b5176463963ee863de2f62756e154df016aa6d3b0a142d8cae18041367ed5dba897c2d050

Download Submit
memory/1968-9-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/1968-2-0x0000000077A18000-0x0000000077A19000-memory.dmp

Filesize
4KB

Download
memory/1968-23-0x00000000049F0000-0x0000000004A74000-memory.dmp

Filesize
528KB

Download
memory/1968-3-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/1968-11-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/1968-10-0x00000000049F0000-0x0000000004A74000-memory.dmp

Filesize
528KB

Download
memory/2496-0-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000028A0000-0x00000000028AA000-memory.dmp

Filesize
40KB

Download
memory/2496-6-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2496-7-0x00000000028A0000-0x00000000028AA000-memory.dmp

Filesize
40KB

Download
memory/2496-4-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/4420-18-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/4420-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-39-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-16-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-17-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

Filesize
2.0MB

Download
memory/4420-15-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-40-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4420-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads