osiris | c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689

General

Target

cc629e5d6fabb0da8f46ecb5d667113d.exe
Size

3.1MB
MD5

cc629e5d6fabb0da8f46ecb5d667113d
SHA1

ce1084782c077756fb43a1056cfcfdd80182f54e
SHA256

c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689
SHA512

c54ca9ed01b007fc4abc0d72c77253ac2d8802882841a43226764b1fd46e4a1873158d04b396c3b82381fa806abc27cfb6b7778668c656afa53afc6d7c539a4a
SSDEEP

49152:jitOd4k7ydepSSPIZDscC+QZKDVdfu315:jiK4IIZYfZKDVQF5

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Blocklisted process makes network request 25 IoCs

Processes:

cmd.exe

flow	pid	process
130	4320	cmd.exe
132	4320	cmd.exe
166	4320	cmd.exe
168	4320	cmd.exe
169	4320	cmd.exe
171	4320	cmd.exe
174	4320	cmd.exe
175	4320	cmd.exe
176	4320	cmd.exe
177	4320	cmd.exe
178	4320	cmd.exe
179	4320	cmd.exe
180	4320	cmd.exe
181	4320	cmd.exe
182	4320	cmd.exe
183	4320	cmd.exe
184	4320	cmd.exe
185	4320	cmd.exe
187	4320	cmd.exe
188	4320	cmd.exe
189	4320	cmd.exe
191	4320	cmd.exe
192	4320	cmd.exe
193	4320	cmd.exe
195	4320	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4540 GetX64BTIT.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

166 api.ipify.org
165 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\cms.job cmd.exe

pid	process
4540	GetX64BTIT.exe

flow	ioc
166	api.ipify.org
165	api.ipify.org

description	ioc	process
File created	C:\Windows\Tasks\cms.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exenotepad.execmd.exe

pid	process
1136	cc629e5d6fabb0da8f46ecb5d667113d.exe
180	notepad.exe
180	notepad.exe
180	notepad.exe
180	notepad.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe
4320	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

notepad.exe

pid process

180 notepad.exe
180 notepad.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 1132 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

4320 cmd.exe

pid	process
180	notepad.exe
180	notepad.exe

description	pid	process
Token: SeManageVolumePrivilege	1132	svchost.exe

pid	process
4320	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc629e5d6fabb0da8f46ecb5d667113d.exe

description	pid	process	target process
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe
PID 1136 wrote to memory of 180	1136	cc629e5d6fabb0da8f46ecb5d667113d.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe
"C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:4540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
fbd46e4a6637c73b315bba52db5248d3

SHA1
580d80077003d678172e449cec4d2f7c2a8ebc70

SHA256
e76e9d49766575c15814730956c7a3a7572cf80c2411b28961bb3902fc2da2fe

SHA512
83aa3850251c8d92936baf9a4687417b307fdc207495dd52fbf921db16634fbdda660157b0a14a7c835101be429fada29e491646b439e35037a7d533c700ce47

Download Submit
memory/180-9-0x0000000004A00000-0x0000000004A84000-memory.dmp

Filesize
528KB

Download
memory/180-2-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/180-20-0x0000000004A00000-0x0000000004A84000-memory.dmp

Filesize
528KB

Download
memory/180-10-0x00007FFBCA770000-0x00007FFBCA965000-memory.dmp

Filesize
2.0MB

Download
memory/180-8-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1132-73-0x000001A73DCF0000-0x000001A73DCF1000-memory.dmp

Filesize
4KB

Download
memory/1132-77-0x000001A73DE30000-0x000001A73DE31000-memory.dmp

Filesize
4KB

Download
memory/1132-76-0x000001A73DD20000-0x000001A73DD21000-memory.dmp

Filesize
4KB

Download
memory/1132-75-0x000001A73DD20000-0x000001A73DD21000-memory.dmp

Filesize
4KB

Download
memory/1132-57-0x000001A735980000-0x000001A735990000-memory.dmp

Filesize
64KB

Download
memory/1132-41-0x000001A735880000-0x000001A735890000-memory.dmp

Filesize
64KB

Download
memory/1136-6-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/1136-4-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1136-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1136-0-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1136-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/4320-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-38-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-39-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-24-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-15-0x00007FFBCA770000-0x00007FFBCA965000-memory.dmp

Filesize
2.0MB

Download
memory/4320-14-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/4320-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-12-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-78-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-79-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4320-80-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads