observer | 8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe
Size

1.0MB
MD5

13125bd66d02c013b3eda2c69aff4ef3
SHA1

3b70cc23e7877fea920e0260ef6fd9b56076930c
SHA256

8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab
SHA512

e6931d70ef77f638fe15e463e9a77f246913501faf1dc10ea09d57558d19c65191c7025dda80d45e947e45eb01ef4807fe7ab0ad7f84f26b55eb717e2b4c1280
SSDEEP

24576:RtLWjQcTsLY9K9ZZqf5MoLtaumQ1dpx8pUO0LV:3L6L6Y9KXZqf5LLl1jrfJ

Score

10^/10

observer stealer

Malware Config

Extracted

Family

observer

http://5.42.66.25:3000

Signatures

Observer
Observer is an infostealer written in C++.
stealer observer

Deletes itself 1 IoCs

pid	Process
2644	Awareness.pif

Executes dropped EXE 1 IoCs

pid	Process
2644	Awareness.pif

Loads dropped DLL 1 IoCs

pid	Process
2968	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2156	tasklist.exe
2980	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2780	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2644	Awareness.pif
2644	Awareness.pif
2644	Awareness.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2968	2896	8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe	30
PID 2896 wrote to memory of 2968	2896	8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe	30
PID 2896 wrote to memory of 2968	2896	8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe	30
PID 2896 wrote to memory of 2968	2896	8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe	30
PID 2968 wrote to memory of 2156	2968	cmd.exe	32
PID 2968 wrote to memory of 2156	2968	cmd.exe	32
PID 2968 wrote to memory of 2156	2968	cmd.exe	32
PID 2968 wrote to memory of 2156	2968	cmd.exe	32
PID 2968 wrote to memory of 2720	2968	cmd.exe	31
PID 2968 wrote to memory of 2720	2968	cmd.exe	31
PID 2968 wrote to memory of 2720	2968	cmd.exe	31
PID 2968 wrote to memory of 2720	2968	cmd.exe	31
PID 2968 wrote to memory of 2980	2968	cmd.exe	35
PID 2968 wrote to memory of 2980	2968	cmd.exe	35
PID 2968 wrote to memory of 2980	2968	cmd.exe	35
PID 2968 wrote to memory of 2980	2968	cmd.exe	35
PID 2968 wrote to memory of 2852	2968	cmd.exe	34
PID 2968 wrote to memory of 2852	2968	cmd.exe	34
PID 2968 wrote to memory of 2852	2968	cmd.exe	34
PID 2968 wrote to memory of 2852	2968	cmd.exe	34
PID 2968 wrote to memory of 2624	2968	cmd.exe	36
PID 2968 wrote to memory of 2624	2968	cmd.exe	36
PID 2968 wrote to memory of 2624	2968	cmd.exe	36
PID 2968 wrote to memory of 2624	2968	cmd.exe	36
PID 2968 wrote to memory of 2148	2968	cmd.exe	37
PID 2968 wrote to memory of 2148	2968	cmd.exe	37
PID 2968 wrote to memory of 2148	2968	cmd.exe	37
PID 2968 wrote to memory of 2148	2968	cmd.exe	37
PID 2968 wrote to memory of 2868	2968	cmd.exe	38
PID 2968 wrote to memory of 2868	2968	cmd.exe	38
PID 2968 wrote to memory of 2868	2968	cmd.exe	38
PID 2968 wrote to memory of 2868	2968	cmd.exe	38
PID 2968 wrote to memory of 2644	2968	cmd.exe	40
PID 2968 wrote to memory of 2644	2968	cmd.exe	40
PID 2968 wrote to memory of 2644	2968	cmd.exe	40
PID 2968 wrote to memory of 2644	2968	cmd.exe	40
PID 2968 wrote to memory of 2780	2968	cmd.exe	39
PID 2968 wrote to memory of 2780	2968	cmd.exe	39
PID 2968 wrote to memory of 2780	2968	cmd.exe	39
PID 2968 wrote to memory of 2780	2968	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe
"C:\Users\Admin\AppData\Local\Temp\8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 21493
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 21493\Awareness.pif
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Subsequent + Controversy 21493\Q
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21493\Awareness.pif
    21493\Awareness.pif 21493\Q
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21493\Awareness.pif

Filesize
638KB

MD5
5efd07bcd33e23e2c6e8308c3157f58c

SHA1
e136943297d9de8d16f02d2a5b88900af46684c3

SHA256
838d3a1f3ad49db6130097455c2191dc783cc4e212f1b0174e67f29d12af2ca1

SHA512
35c4d46583585633cbb9a6ac775dcbb14bc84b4a1f0b40f5012658a1b479938a6e423f0f854da1b4c5b0bece7090411e4097ddd05106f9c1f6f4b9f6ac4e166e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21493\Awareness.pif

Filesize
576KB

MD5
c1fb2f7fdf2d99d9f160ce449f87377e

SHA1
020e984a2b5ac883648f7470e3e547c953cf8946

SHA256
dc9b944eb3ffb6b6a4f4dadcf4fe248a03202532271061700c925a69e3a4eccb

SHA512
6c097590731a4c0e101dc704fc40c0dcc7d57bf800cab5ba69cc8ea1bc0a905876fad30236e37bee79da6ccab645920e0f00bad0b5c26a6faaeaa90b86580f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21493\Q

Filesize
572KB

MD5
66be2c9224205a40606b703137121af2

SHA1
f40d19fd1b2d01e9006b2dbe22622417c5315b69

SHA256
a4469e1c596ef2a47a67cb196f41a934c025d9c08fdedd2cb5a2c50ac079d02c

SHA512
b8971e98dc54611c30c959913c55dbce62ca424e455a782265c44248e75ef1df835c4c1a515519783e71411706422eceec4810ed2047435531ea21cf2405f0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms

Filesize
11KB

MD5
b1ef379960b1cc12b80454174ef222b3

SHA1
e85d00b4822433613e0d1523abc1edc4220421fe

SHA256
cc9605d93f0b3536ea951b84f3fbe3d0196f361de2276038165ceb2200c92c7b

SHA512
7a62f6413986032298a8baaed564becbadd24ed70949d64ef3411fbec488b82820c04d7c250165ea57371784168710403f94940acae8a97ff10ace57c27ec2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound

Filesize
277KB

MD5
2ec41cd75e4e41ee8c1b1e0b9d31c7e4

SHA1
1ae820229667223c05471140f04486174f818306

SHA256
703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

SHA512
46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Controversy

Filesize
432KB

MD5
646bb04049cee0a56192d2837d687ccd

SHA1
01579c8a98bdb098719e3398d3f234920b402d71

SHA256
808a6e79cff289bff2698b185e747ccd5d6c373b1c9fdf8128a9443ac90217ae

SHA512
f7dfeda6a5abffde61898fc12596f41a3de5d12a0c9498d0b7a1d0c374ce4527691968aa6d67c91b3d706d57e96c45b96f400ad26d1120886f374fcbb7893ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emotions

Filesize
222KB

MD5
041ce253674ba21b9d38fc9fde7f054a

SHA1
7a59249c38c6a5bfe7766d2b5ac226a9cfd408d1

SHA256
a2d9ac3903c9299a993206ec17f7ec8e06bee2293239e8a8b517eef561de2d3d

SHA512
48ed73cb5f6872980018050a07741e08cf3abb3b7a1365eac635906b832c9963330d7523e21ac6a0f5c40485daea78df206d04a4c51c5ff9aec424f56edcd2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection

Filesize
117KB

MD5
246eaad20996e50d7ef60b9200bd9651

SHA1
65d11b058e25e584ce67489c1ccfd85d09f15d0c

SHA256
851183e54980e91bdc772a752f738547841b22629afc14d05da9c954f320127a

SHA512
a0c24a4792afbc20f9b166e7a8764016409acd474091a0978d4b2dfd061ca142103549d19459f23d1dbdb0e624395c1258b8a609c6c283992ff625891e83eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants

Filesize
167KB

MD5
f8f388e977f31c5fe1748541b54920ae

SHA1
e7136e52621f93ffb84325b57e98985ebc6512c1

SHA256
a8fd7c611b67f141db0423e5069f0e6fa5e8b4d441f920ceb0378692a2528754

SHA512
98d423d056f2bf9e63651d0106a6bf96af135c8f190e34222ba72786b5f2bab5ad8ffe82df47e34ba446fca03d3db3f7bc3b033774b79edffe6262f813b84e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond

Filesize
21KB

MD5
1ca5141d992262432ba4fff828d7d092

SHA1
5e9aec92c0e85c0b7f576bf18adba9e3c3e93897

SHA256
9f7a626c7d33e97f707c415aeeb3f8f3697edd0988fee6b3be07e9a02b74ba75

SHA512
198e63037f7906681467daed4cffc6b07885ade1d80b5855746fe02c2d86689e1c6dbae6432784d67fe092e041e4943de846e0aa791bdc5c5a5e08da06af0242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subsequent

Filesize
426KB

MD5
c42dc09d03678e36fcd19b13b8f8e502

SHA1
be31c2f6e43f87a56eeea107ca20822f5d2b6c52

SHA256
4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

SHA512
fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm

Filesize
120KB

MD5
8b9a2094874a50a5d6611512322a41df

SHA1
649b2fc4751a857ac795637890c3ffd1a1f6c069

SHA256
5dbffacd5038833530ba781b5b1a020e504257ae796793b3b47c516549a9be0f

SHA512
f5a4e4460e1881e8a6e6db0e21d59efc4e635e2ba6c8620856d27e7b940f1f7784846e3fa7a8e5468506a7db6397ec411325bd60ea8c9f833bbcccc1a523491d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21493\Awareness.pif

Filesize
591KB

MD5
53130f5cd00a1b5e9baed81c65b93542

SHA1
cc014fef1b53c7249067ab4f5704e1213fe3dd32

SHA256
a447751e742844ac852efa895cdb7420fafadfae3a15c7a2f579d9fb17aedb60

SHA512
50d454fee6bf85b586d7515174659f36e898192a5ad8cd9f98c6f2ec79b464d1446aeaf7e4015f174c8c93b87ffa0ed748357e7063cd963be33d8370e9b83dfd

Download Submit
memory/2644-33-0x0000000077370000-0x0000000077446000-memory.dmp

Filesize
856KB

Download
memory/2644-35-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download
memory/2644-36-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download
memory/2644-34-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2644-37-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download
memory/2644-39-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download
memory/2644-38-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download
memory/2644-40-0x0000000003AA0000-0x0000000003B13000-memory.dmp

Filesize
460KB

Download