osiris | 07457423012b530efe135d313c7c3d509c0ec8f13dacd5751ddfce7c311182c7

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/11/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload 94.75 (4).225.exe
Size

609KB
MD5

987a79c800f109491dcbfbc589f940f2
SHA1

d0a7eedc6b908ffc728f287036696fd0688436f7
SHA256

07457423012b530efe135d313c7c3d509c0ec8f13dacd5751ddfce7c311182c7
SHA512

959c7e45f4ae3ab901f7aad2ed3d5d74861aa9d812df0bf1bd499afd759a2811b98dbba43e143c3a90f8fa7c4b7d8592e1aa60402de8cc62da409c30aad118ac
SSDEEP

12288:KZ543M5v7Kc3ygT2lXVCllX8peI7cQitqUmyq+1pmhM:SUiL3yjXUlu0I7vitqUmyq+1paM

Score

10^/10

osiris banker botnet discovery upx

Malware Config

Signatures

Osiris
banker botnet osiris
Osiris family
osiris

Executes dropped EXE 1 IoCs

pid	Process
836	GetX64BTIT.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	Payload 94.75 (4).225.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-1-0x0000000000400000-0x00000000051C1000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload 94.75 (4).225.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe
2548	Payload 94.75 (4).225.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	Payload 94.75 (4).225.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 836	2548	Payload 94.75 (4).225.exe	30
PID 2548 wrote to memory of 836	2548	Payload 94.75 (4).225.exe	30
PID 2548 wrote to memory of 836	2548	Payload 94.75 (4).225.exe	30
PID 2548 wrote to memory of 836	2548	Payload 94.75 (4).225.exe	30

C:\Users\Admin\AppData\Local\Temp\Payload 94.75 (4).225.exe
"C:\Users\Admin\AppData\Local\Temp\Payload 94.75 (4).225.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
9636dfae5807008a83795615e678ec55

SHA1
900cd05645bb6b201beec5dd8ffa57ec89cedb3c

SHA256
4cc14c5c0b7617de4fe11f92b46af82b1a2608a1ed966f07d85c90e644cff113

SHA512
f467a86c3cd9832c50c7b0066d554ed22b4a2072360c0a1ffa1a2ac5e849133417c6b463e553e47a1fd4e71d05acdc4493da186c3c9ffd5abb84dc3fd4262271

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/2548-6-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-19-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2548-7-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-1-0x0000000000400000-0x00000000051C1000-memory.dmp

Filesize
77.8MB

Download
memory/2548-5-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-9-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-8-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-3-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2548-2-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2548-4-0x0000000000400000-0x00000000051C1000-memory.dmp

Filesize
77.8MB

Download
memory/2548-22-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-21-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-17-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2548-26-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-25-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-31-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-36-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-42-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download
memory/2548-43-0x0000000005420000-0x00000000054E6000-memory.dmp

Filesize
792KB

Download