osiris | ac8ec076126d9905b8a3e677c94607c356bd5418092ac00b25de85cad02f6380

Resubmissions

17-03-2024 04:56

240317-fkpqlseg53 10

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cffa8abc1bd0d8409d62b1adb675a6d3.exe
Size

434KB
MD5

cffa8abc1bd0d8409d62b1adb675a6d3
SHA1

37e8bc4d8ffc6ff4256a82bc057960e2cbb022e1
SHA256

ac8ec076126d9905b8a3e677c94607c356bd5418092ac00b25de85cad02f6380
SHA512

7112efdbc879550dd33ddf47f50d44e2ea4ab1e98d2d5d1c48a7f16dc949154228c933095e99050fea61970897c671195f9674bcdece090dc8a0a520e8bc9841
SSDEEP

12288:rXPcLcbGfVylwG/ZDCK/ScBXo8TsyMkKMY8m7WOK9SATTsx/SA/WegYfdNbrqnuk:rXh6XcBXo8TsL8Y8m/ATTySA/DrfdNbC

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
3404	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.ipify.org
38	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3404	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	100
PID 4240 wrote to memory of 3404	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	100
PID 4240 wrote to memory of 1360	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	77
PID 4240 wrote to memory of 4960	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	78
PID 4240 wrote to memory of 2496	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	79
PID 4240 wrote to memory of 1900	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	80
PID 4240 wrote to memory of 1940	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	81
PID 4240 wrote to memory of 816	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	83
PID 4240 wrote to memory of 3904	4240	cffa8abc1bd0d8409d62b1adb675a6d3.exe	84
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111
PID 1360 wrote to memory of 3628	1360	msedge.exe	111

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7fff9f0a2e98,0x7fff9f0a2ea4,0x7fff9f0a2eb0
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2352 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2388 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3628

C:\Users\Admin\AppData\Local\Temp\cffa8abc1bd0d8409d62b1adb675a6d3.exe
"C:\Users\Admin\AppData\Local\Temp\cffa8abc1bd0d8409d62b1adb675a6d3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7eced896f52e92771c022d6cec8843d6

SHA1
e7564ca2110104eec0caf08b75c9dc1619982fb5

SHA256
a96fa03a7da2a585127477483cca9a17c42420d71c6aba1e958b9617dd606606

SHA512
136cfaaf92c9c425c140da89aace9d2f7c995b918a67ea33db0245a5b2049b3ea05f179cd009d0b7e32dd027aa5296cb5aaa44eed6830d070990e22fdef013ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
316e50151574f976726deab620d4e1f6

SHA1
b78478f0407655a39b907a1cceb09328ccf5a5b1

SHA256
fc13d26975d8e6dac2ddae7bd2f685e20d3432003f99751de0180e56846cfd58

SHA512
c6cd5181344ccbd5eb9aefe8d6d50d45052556e01451c46d3d3d95f6f0a7e8604e5dcb302102fa5364dc69546f9fe43963746575205b721fc3bc09d22db7bef4

Download Submit