observer | 8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe
Size

1.0MB
MD5

13125bd66d02c013b3eda2c69aff4ef3
SHA1

3b70cc23e7877fea920e0260ef6fd9b56076930c
SHA256

8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab
SHA512

e6931d70ef77f638fe15e463e9a77f246913501faf1dc10ea09d57558d19c65191c7025dda80d45e947e45eb01ef4807fe7ab0ad7f84f26b55eb717e2b4c1280
SSDEEP

24576:RtLWjQcTsLY9K9ZZqf5MoLtaumQ1dpx8pUO0LV:3L6L6Y9KXZqf5LLl1jrfJ

Score

10^/10

observer stealer

Malware Config

Extracted

Family

observer

http://5.42.66.25:3000

Signatures

Observer
Observer is an infostealer written in C++.
stealer observer

Deletes itself 1 IoCs

pid	Process
2748	Awareness.pif

Executes dropped EXE 1 IoCs

pid	Process
2748	Awareness.pif

Loads dropped DLL 1 IoCs

pid	Process
2376	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2728	tasklist.exe
2856	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2804	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2856	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2748	Awareness.pif
2748	Awareness.pif
2748	Awareness.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2376	3024	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	29
PID 3024 wrote to memory of 2376	3024	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	29
PID 3024 wrote to memory of 2376	3024	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	29
PID 3024 wrote to memory of 2376	3024	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	29
PID 2376 wrote to memory of 2728	2376	cmd.exe	31
PID 2376 wrote to memory of 2728	2376	cmd.exe	31
PID 2376 wrote to memory of 2728	2376	cmd.exe	31
PID 2376 wrote to memory of 2728	2376	cmd.exe	31
PID 2376 wrote to memory of 2060	2376	cmd.exe	32
PID 2376 wrote to memory of 2060	2376	cmd.exe	32
PID 2376 wrote to memory of 2060	2376	cmd.exe	32
PID 2376 wrote to memory of 2060	2376	cmd.exe	32
PID 2376 wrote to memory of 2856	2376	cmd.exe	34
PID 2376 wrote to memory of 2856	2376	cmd.exe	34
PID 2376 wrote to memory of 2856	2376	cmd.exe	34
PID 2376 wrote to memory of 2856	2376	cmd.exe	34
PID 2376 wrote to memory of 2716	2376	cmd.exe	35
PID 2376 wrote to memory of 2716	2376	cmd.exe	35
PID 2376 wrote to memory of 2716	2376	cmd.exe	35
PID 2376 wrote to memory of 2716	2376	cmd.exe	35
PID 2376 wrote to memory of 2872	2376	cmd.exe	36
PID 2376 wrote to memory of 2872	2376	cmd.exe	36
PID 2376 wrote to memory of 2872	2376	cmd.exe	36
PID 2376 wrote to memory of 2872	2376	cmd.exe	36
PID 2376 wrote to memory of 2744	2376	cmd.exe	37
PID 2376 wrote to memory of 2744	2376	cmd.exe	37
PID 2376 wrote to memory of 2744	2376	cmd.exe	37
PID 2376 wrote to memory of 2744	2376	cmd.exe	37
PID 2376 wrote to memory of 1740	2376	cmd.exe	38
PID 2376 wrote to memory of 1740	2376	cmd.exe	38
PID 2376 wrote to memory of 1740	2376	cmd.exe	38
PID 2376 wrote to memory of 1740	2376	cmd.exe	38
PID 2376 wrote to memory of 2748	2376	cmd.exe	39
PID 2376 wrote to memory of 2748	2376	cmd.exe	39
PID 2376 wrote to memory of 2748	2376	cmd.exe	39
PID 2376 wrote to memory of 2748	2376	cmd.exe	39
PID 2376 wrote to memory of 2804	2376	cmd.exe	40
PID 2376 wrote to memory of 2804	2376	cmd.exe	40
PID 2376 wrote to memory of 2804	2376	cmd.exe	40
PID 2376 wrote to memory of 2804	2376	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 3938
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 3938\Awareness.pif
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Subsequent + Controversy 3938\Q
    3⤵
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3938\Awareness.pif
    3938\Awareness.pif 3938\Q
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2748
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3938\Q

Filesize
858KB

MD5
e6a62806fa38a27240122f2840b3fec1

SHA1
f99c345a6e63e55910ef081247c8845f707426c6

SHA256
a036ba664ead310f1bacb021289a78f673842937ecbc0b2e984ba41e6f9428c0

SHA512
b1cfe019d5b228915e3d3502f7dd773a61ece04d23633c82d2239cc9775cd65f5c1d3f72baab1032d40b9e1175054d3e87be2931e2ffbc3ebe942f1823bffa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms

Filesize
11KB

MD5
b1ef379960b1cc12b80454174ef222b3

SHA1
e85d00b4822433613e0d1523abc1edc4220421fe

SHA256
cc9605d93f0b3536ea951b84f3fbe3d0196f361de2276038165ceb2200c92c7b

SHA512
7a62f6413986032298a8baaed564becbadd24ed70949d64ef3411fbec488b82820c04d7c250165ea57371784168710403f94940acae8a97ff10ace57c27ec2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound

Filesize
277KB

MD5
2ec41cd75e4e41ee8c1b1e0b9d31c7e4

SHA1
1ae820229667223c05471140f04486174f818306

SHA256
703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

SHA512
46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Controversy

Filesize
432KB

MD5
646bb04049cee0a56192d2837d687ccd

SHA1
01579c8a98bdb098719e3398d3f234920b402d71

SHA256
808a6e79cff289bff2698b185e747ccd5d6c373b1c9fdf8128a9443ac90217ae

SHA512
f7dfeda6a5abffde61898fc12596f41a3de5d12a0c9498d0b7a1d0c374ce4527691968aa6d67c91b3d706d57e96c45b96f400ad26d1120886f374fcbb7893ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emotions

Filesize
222KB

MD5
041ce253674ba21b9d38fc9fde7f054a

SHA1
7a59249c38c6a5bfe7766d2b5ac226a9cfd408d1

SHA256
a2d9ac3903c9299a993206ec17f7ec8e06bee2293239e8a8b517eef561de2d3d

SHA512
48ed73cb5f6872980018050a07741e08cf3abb3b7a1365eac635906b832c9963330d7523e21ac6a0f5c40485daea78df206d04a4c51c5ff9aec424f56edcd2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection

Filesize
117KB

MD5
246eaad20996e50d7ef60b9200bd9651

SHA1
65d11b058e25e584ce67489c1ccfd85d09f15d0c

SHA256
851183e54980e91bdc772a752f738547841b22629afc14d05da9c954f320127a

SHA512
a0c24a4792afbc20f9b166e7a8764016409acd474091a0978d4b2dfd061ca142103549d19459f23d1dbdb0e624395c1258b8a609c6c283992ff625891e83eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants

Filesize
167KB

MD5
f8f388e977f31c5fe1748541b54920ae

SHA1
e7136e52621f93ffb84325b57e98985ebc6512c1

SHA256
a8fd7c611b67f141db0423e5069f0e6fa5e8b4d441f920ceb0378692a2528754

SHA512
98d423d056f2bf9e63651d0106a6bf96af135c8f190e34222ba72786b5f2bab5ad8ffe82df47e34ba446fca03d3db3f7bc3b033774b79edffe6262f813b84e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond

Filesize
21KB

MD5
1ca5141d992262432ba4fff828d7d092

SHA1
5e9aec92c0e85c0b7f576bf18adba9e3c3e93897

SHA256
9f7a626c7d33e97f707c415aeeb3f8f3697edd0988fee6b3be07e9a02b74ba75

SHA512
198e63037f7906681467daed4cffc6b07885ade1d80b5855746fe02c2d86689e1c6dbae6432784d67fe092e041e4943de846e0aa791bdc5c5a5e08da06af0242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subsequent

Filesize
426KB

MD5
c42dc09d03678e36fcd19b13b8f8e502

SHA1
be31c2f6e43f87a56eeea107ca20822f5d2b6c52

SHA256
4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

SHA512
fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm

Filesize
120KB

MD5
8b9a2094874a50a5d6611512322a41df

SHA1
649b2fc4751a857ac795637890c3ffd1a1f6c069

SHA256
5dbffacd5038833530ba781b5b1a020e504257ae796793b3b47c516549a9be0f

SHA512
f5a4e4460e1881e8a6e6db0e21d59efc4e635e2ba6c8620856d27e7b940f1f7784846e3fa7a8e5468506a7db6397ec411325bd60ea8c9f833bbcccc1a523491d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3938\Awareness.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/2748-33-0x0000000076F80000-0x0000000077056000-memory.dmp

Filesize
856KB

Download
memory/2748-35-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2748-34-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download
memory/2748-36-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download
memory/2748-37-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download
memory/2748-38-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download
memory/2748-39-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download
memory/2748-40-0x0000000004370000-0x00000000043E3000-memory.dmp

Filesize
460KB

Download