Overview

overview

10

Static

static

1

SecuriteIn...04.exe

windows7-x64

10

SecuriteIn...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe

  • Size

    1.0MB

  • MD5

    13125bd66d02c013b3eda2c69aff4ef3

  • SHA1

    3b70cc23e7877fea920e0260ef6fd9b56076930c

  • SHA256

    8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab

  • SHA512

    e6931d70ef77f638fe15e463e9a77f246913501faf1dc10ea09d57558d19c65191c7025dda80d45e947e45eb01ef4807fe7ab0ad7f84f26b55eb717e2b4c1280

  • SSDEEP

    24576:RtLWjQcTsLY9K9ZZqf5MoLtaumQ1dpx8pUO0LV:3L6L6Y9KXZqf5LLl1jrfJ

Score
10/10
observerstealer

Malware Config

Extracted

Family

observer

C2

http://5.42.66.25:3000

Signatures

  • Observer

    Observer is an infostealer written in C++.

    stealerobserver
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4364
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        3⤵
          PID:2396
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2596
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:3840
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 3941
            3⤵
              PID:680
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 3941\Awareness.pif
              3⤵
                PID:4884
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Subsequent + Controversy 3941\Q
                3⤵
                  PID:2288
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3941\Awareness.pif
                  3941\Awareness.pif 3941\Q
                  3⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:3208
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1492
                    4⤵
                    • Program crash
                    PID:4608
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1512
                    4⤵
                    • Program crash
                    PID:2172
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 5 localhost
                  3⤵
                  • Runs ping.exe
                  PID:4416
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3208 -ip 3208
              1⤵
                PID:1564
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3208 -ip 3208
                1⤵
                  PID:652

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3941\Awareness.pif
                  Filesize

                  924KB

                  MD5

                  848164d084384c49937f99d5b894253e

                  SHA1

                  3055ef803eeec4f175ebf120f94125717ee12444

                  SHA256

                  f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                  SHA512

                  aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3941\Q
                  Filesize

                  858KB

                  MD5

                  e6a62806fa38a27240122f2840b3fec1

                  SHA1

                  f99c345a6e63e55910ef081247c8845f707426c6

                  SHA256

                  a036ba664ead310f1bacb021289a78f673842937ecbc0b2e984ba41e6f9428c0

                  SHA512

                  b1cfe019d5b228915e3d3502f7dd773a61ece04d23633c82d2239cc9775cd65f5c1d3f72baab1032d40b9e1175054d3e87be2931e2ffbc3ebe942f1823bffa46

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms
                  Filesize

                  11KB

                  MD5

                  b1ef379960b1cc12b80454174ef222b3

                  SHA1

                  e85d00b4822433613e0d1523abc1edc4220421fe

                  SHA256

                  cc9605d93f0b3536ea951b84f3fbe3d0196f361de2276038165ceb2200c92c7b

                  SHA512

                  7a62f6413986032298a8baaed564becbadd24ed70949d64ef3411fbec488b82820c04d7c250165ea57371784168710403f94940acae8a97ff10ace57c27ec2a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound
                  Filesize

                  277KB

                  MD5

                  2ec41cd75e4e41ee8c1b1e0b9d31c7e4

                  SHA1

                  1ae820229667223c05471140f04486174f818306

                  SHA256

                  703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

                  SHA512

                  46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Controversy
                  Filesize

                  432KB

                  MD5

                  646bb04049cee0a56192d2837d687ccd

                  SHA1

                  01579c8a98bdb098719e3398d3f234920b402d71

                  SHA256

                  808a6e79cff289bff2698b185e747ccd5d6c373b1c9fdf8128a9443ac90217ae

                  SHA512

                  f7dfeda6a5abffde61898fc12596f41a3de5d12a0c9498d0b7a1d0c374ce4527691968aa6d67c91b3d706d57e96c45b96f400ad26d1120886f374fcbb7893ece

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emotions
                  Filesize

                  222KB

                  MD5

                  041ce253674ba21b9d38fc9fde7f054a

                  SHA1

                  7a59249c38c6a5bfe7766d2b5ac226a9cfd408d1

                  SHA256

                  a2d9ac3903c9299a993206ec17f7ec8e06bee2293239e8a8b517eef561de2d3d

                  SHA512

                  48ed73cb5f6872980018050a07741e08cf3abb3b7a1365eac635906b832c9963330d7523e21ac6a0f5c40485daea78df206d04a4c51c5ff9aec424f56edcd2e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection
                  Filesize

                  117KB

                  MD5

                  246eaad20996e50d7ef60b9200bd9651

                  SHA1

                  65d11b058e25e584ce67489c1ccfd85d09f15d0c

                  SHA256

                  851183e54980e91bdc772a752f738547841b22629afc14d05da9c954f320127a

                  SHA512

                  a0c24a4792afbc20f9b166e7a8764016409acd474091a0978d4b2dfd061ca142103549d19459f23d1dbdb0e624395c1258b8a609c6c283992ff625891e83eefd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants
                  Filesize

                  167KB

                  MD5

                  f8f388e977f31c5fe1748541b54920ae

                  SHA1

                  e7136e52621f93ffb84325b57e98985ebc6512c1

                  SHA256

                  a8fd7c611b67f141db0423e5069f0e6fa5e8b4d441f920ceb0378692a2528754

                  SHA512

                  98d423d056f2bf9e63651d0106a6bf96af135c8f190e34222ba72786b5f2bab5ad8ffe82df47e34ba446fca03d3db3f7bc3b033774b79edffe6262f813b84e52

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond
                  Filesize

                  21KB

                  MD5

                  1ca5141d992262432ba4fff828d7d092

                  SHA1

                  5e9aec92c0e85c0b7f576bf18adba9e3c3e93897

                  SHA256

                  9f7a626c7d33e97f707c415aeeb3f8f3697edd0988fee6b3be07e9a02b74ba75

                  SHA512

                  198e63037f7906681467daed4cffc6b07885ade1d80b5855746fe02c2d86689e1c6dbae6432784d67fe092e041e4943de846e0aa791bdc5c5a5e08da06af0242

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subsequent
                  Filesize

                  426KB

                  MD5

                  c42dc09d03678e36fcd19b13b8f8e502

                  SHA1

                  be31c2f6e43f87a56eeea107ca20822f5d2b6c52

                  SHA256

                  4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

                  SHA512

                  fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm
                  Filesize

                  120KB

                  MD5

                  8b9a2094874a50a5d6611512322a41df

                  SHA1

                  649b2fc4751a857ac795637890c3ffd1a1f6c069

                  SHA256

                  5dbffacd5038833530ba781b5b1a020e504257ae796793b3b47c516549a9be0f

                  SHA512

                  f5a4e4460e1881e8a6e6db0e21d59efc4e635e2ba6c8620856d27e7b940f1f7784846e3fa7a8e5468506a7db6397ec411325bd60ea8c9f833bbcccc1a523491d

                  Download Submit

                • memory/3208-32-0x0000000077681000-0x00000000777A1000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/3208-33-0x00000000036B0000-0x00000000036B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3208-34-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3208-35-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3208-36-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3208-37-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3208-38-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3208-39-0x0000000004A60000-0x0000000004AD3000-memory.dmp

                  Filesize

                  460KB

                  Download