Overview

overview

10

Static

static

1

8299e1c15b...ab.exe

windows7-x64

10

8299e1c15b...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2024, 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe

  • Size

    1.0MB

  • MD5

    13125bd66d02c013b3eda2c69aff4ef3

  • SHA1

    3b70cc23e7877fea920e0260ef6fd9b56076930c

  • SHA256

    8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab

  • SHA512

    e6931d70ef77f638fe15e463e9a77f246913501faf1dc10ea09d57558d19c65191c7025dda80d45e947e45eb01ef4807fe7ab0ad7f84f26b55eb717e2b4c1280

  • SSDEEP

    24576:RtLWjQcTsLY9K9ZZqf5MoLtaumQ1dpx8pUO0LV:3L6L6Y9KXZqf5LLl1jrfJ

Score
10/10
observerstealer

Malware Config

Extracted

Family

observer

C2

http://5.42.66.25:3000

Signatures

  • Observer

    Observer is an infostealer written in C++.

    stealerobserver
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe
    "C:\Users\Admin\AppData\Local\Temp\8299e1c15b75e38fbd3aca4b5e64ee8994d48458023764c9f899604f8a11cdab.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4712
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        3⤵
          PID:640
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3332
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:2764
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 21522
            3⤵
              PID:1964
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 21522\Awareness.pif
              3⤵
                PID:4224
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Subsequent + Controversy 21522\Q
                3⤵
                  PID:5068
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21522\Awareness.pif
                  21522\Awareness.pif 21522\Q
                  3⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:3592
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1500
                    4⤵
                    • Program crash
                    PID:2856
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1508
                    4⤵
                    • Program crash
                    PID:4100
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 5 localhost
                  3⤵
                  • Runs ping.exe
                  PID:3372
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3592 -ip 3592
              1⤵
                PID:1840
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3592 -ip 3592
                1⤵
                  PID:4520

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21522\Awareness.pif
                  Filesize

                  490KB

                  MD5

                  0282b516e6f1a8dc20901c929ad4cd17

                  SHA1

                  a5cad6887cd48eabf7b1c1535cd182ce88d94f03

                  SHA256

                  3340c3c9d080e25c742f0d82feb5e2f11316a054d648792e102d8a28acbcdfe2

                  SHA512

                  d15c1b687b4f7118bbd63c53823a3e4e14c0d761825c12d6db3b86dc5a79f3ef374d91ff1194daedafcf232b469ac3377e82d0bfac9f60b26125a1607e8818c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21522\Q
                  Filesize

                  57KB

                  MD5

                  b0d7838bdaf4203347500c20b3b277af

                  SHA1

                  9eaa76373a1eadb0be3f2461e6bdfb403258bc34

                  SHA256

                  db59fe0099cbca803173355765f400669bd3267b3d95af7a114e9bbbeb5fbd5f

                  SHA512

                  5ecaec79ced5e8c5c219ba83cc6cbca3f556c5887567d46cb9f3f2722d52f36070429b1fc25ef7c8a5d6f54a3f9fab8368c08b7bbc326deef12d5573489b1228

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms
                  Filesize

                  11KB

                  MD5

                  b1ef379960b1cc12b80454174ef222b3

                  SHA1

                  e85d00b4822433613e0d1523abc1edc4220421fe

                  SHA256

                  cc9605d93f0b3536ea951b84f3fbe3d0196f361de2276038165ceb2200c92c7b

                  SHA512

                  7a62f6413986032298a8baaed564becbadd24ed70949d64ef3411fbec488b82820c04d7c250165ea57371784168710403f94940acae8a97ff10ace57c27ec2a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound
                  Filesize

                  277KB

                  MD5

                  2ec41cd75e4e41ee8c1b1e0b9d31c7e4

                  SHA1

                  1ae820229667223c05471140f04486174f818306

                  SHA256

                  703e01cdb77a38db64afbcc43b8567a808dd0e5702eab102e16364437ceb2420

                  SHA512

                  46ea1d8606dedad2acd591c7591956925065952465423f1f77431e5b55de2955fe5db8ab8a46d92ef5ca0458e09a0dfa99461d6c849c0818f28d3863b358649d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Controversy
                  Filesize

                  432KB

                  MD5

                  646bb04049cee0a56192d2837d687ccd

                  SHA1

                  01579c8a98bdb098719e3398d3f234920b402d71

                  SHA256

                  808a6e79cff289bff2698b185e747ccd5d6c373b1c9fdf8128a9443ac90217ae

                  SHA512

                  f7dfeda6a5abffde61898fc12596f41a3de5d12a0c9498d0b7a1d0c374ce4527691968aa6d67c91b3d706d57e96c45b96f400ad26d1120886f374fcbb7893ece

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emotions
                  Filesize

                  222KB

                  MD5

                  041ce253674ba21b9d38fc9fde7f054a

                  SHA1

                  7a59249c38c6a5bfe7766d2b5ac226a9cfd408d1

                  SHA256

                  a2d9ac3903c9299a993206ec17f7ec8e06bee2293239e8a8b517eef561de2d3d

                  SHA512

                  48ed73cb5f6872980018050a07741e08cf3abb3b7a1365eac635906b832c9963330d7523e21ac6a0f5c40485daea78df206d04a4c51c5ff9aec424f56edcd2e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection
                  Filesize

                  117KB

                  MD5

                  246eaad20996e50d7ef60b9200bd9651

                  SHA1

                  65d11b058e25e584ce67489c1ccfd85d09f15d0c

                  SHA256

                  851183e54980e91bdc772a752f738547841b22629afc14d05da9c954f320127a

                  SHA512

                  a0c24a4792afbc20f9b166e7a8764016409acd474091a0978d4b2dfd061ca142103549d19459f23d1dbdb0e624395c1258b8a609c6c283992ff625891e83eefd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants
                  Filesize

                  167KB

                  MD5

                  f8f388e977f31c5fe1748541b54920ae

                  SHA1

                  e7136e52621f93ffb84325b57e98985ebc6512c1

                  SHA256

                  a8fd7c611b67f141db0423e5069f0e6fa5e8b4d441f920ceb0378692a2528754

                  SHA512

                  98d423d056f2bf9e63651d0106a6bf96af135c8f190e34222ba72786b5f2bab5ad8ffe82df47e34ba446fca03d3db3f7bc3b033774b79edffe6262f813b84e52

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond
                  Filesize

                  21KB

                  MD5

                  1ca5141d992262432ba4fff828d7d092

                  SHA1

                  5e9aec92c0e85c0b7f576bf18adba9e3c3e93897

                  SHA256

                  9f7a626c7d33e97f707c415aeeb3f8f3697edd0988fee6b3be07e9a02b74ba75

                  SHA512

                  198e63037f7906681467daed4cffc6b07885ade1d80b5855746fe02c2d86689e1c6dbae6432784d67fe092e041e4943de846e0aa791bdc5c5a5e08da06af0242

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Subsequent
                  Filesize

                  426KB

                  MD5

                  c42dc09d03678e36fcd19b13b8f8e502

                  SHA1

                  be31c2f6e43f87a56eeea107ca20822f5d2b6c52

                  SHA256

                  4e84c8cea810d1466db293cb934b60e10067d34c851a2eff44894c60681810f0

                  SHA512

                  fd5028a518bbdfaddf75e6d2ce10956bd573535ab3f4f17aad11062711b10259c1983a2627ce283c49ee768148e993f4f0453304f8b0b2461e9c0c5b6ac29ad2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm
                  Filesize

                  120KB

                  MD5

                  8b9a2094874a50a5d6611512322a41df

                  SHA1

                  649b2fc4751a857ac795637890c3ffd1a1f6c069

                  SHA256

                  5dbffacd5038833530ba781b5b1a020e504257ae796793b3b47c516549a9be0f

                  SHA512

                  f5a4e4460e1881e8a6e6db0e21d59efc4e635e2ba6c8620856d27e7b940f1f7784846e3fa7a8e5468506a7db6397ec411325bd60ea8c9f833bbcccc1a523491d

                  Download Submit

                • memory/3592-32-0x0000000077A11000-0x0000000077B31000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/3592-33-0x0000000005940000-0x0000000005941000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3592-34-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3592-35-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3592-36-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3592-37-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3592-38-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download

                • memory/3592-39-0x0000000005C10000-0x0000000005C83000-memory.dmp

                  Filesize

                  460KB

                  Download