Overview
overview
6Static
static
35e22456f1e...9d.exe
windows7-x64
45e22456f1e...9d.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Obsidian.exe
windows7-x64
1Obsidian.exe
windows10-2004-x64
6d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/...ng.dll
windows7-x64
1resources/...ng.dll
windows10-2004-x64
1resources/...ng.dll
windows7-x64
1resources/...ng.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows7-x64
3Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
5e22456f1e641aa923720c764bdee39d.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e22456f1e641aa923720c764bdee39d.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Obsidian.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Obsidian.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20231129-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
resources/app.js
Resource
win7-20240611-en
Behavioral task
behavioral23
Sample
resources/app.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20231129-en
Behavioral task
behavioral25
Sample
resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240611-en
General
-
Target
Obsidian.exe
-
Size
168.7MB
-
MD5
9e6830b2fefb386a0a4c65a5277ffab7
-
SHA1
bf87fb7d3d99397bf03ae84e4866098555b94d24
-
SHA256
7742ba6e1edf4631ad63856c4ae51f39d7f1e5eb50420ea8e12b6d5c14b5a412
-
SHA512
b6d00caa455dad635b8f34cc853572e755eb783c71f355fc796715c55dea92f716cc7b52577599907c9f020fd4c7885dc5dc0625290604fbc14628cc5bd7a6e7
-
SSDEEP
1572864:TOhiqBPiJU33xaD1gWcdcMPEDCNCgDX0Bf+NNvTPQYhl49RIuKj53fHcTLNKJF9i:XgmeNxNNQxqVO
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 28 raw.githubusercontent.com 3 raw.githubusercontent.com 27 raw.githubusercontent.com 8 raw.githubusercontent.com 11 raw.githubusercontent.com 31 raw.githubusercontent.com 32 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 7 raw.githubusercontent.com -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Obsidian.exeObsidian.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Obsidian.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Obsidian.exe -
Drops file in System32 directory 2 IoCs
Processes:
Obsidian.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Obsidian.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Obsidian.exe -
Modifies registry class 7 IoCs
Processes:
Obsidian.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian Obsidian.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\URL Protocol Obsidian.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\ = "URL:obsidian" Obsidian.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\shell\open\command Obsidian.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\shell Obsidian.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\shell\open Obsidian.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\obsidian\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Obsidian.exe\" \"%1\"" Obsidian.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Obsidian.exepid process 1704 Obsidian.exe 1704 Obsidian.exe 1704 Obsidian.exe 1704 Obsidian.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Obsidian.exedescription pid process Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe Token: SeShutdownPrivilege 3672 Obsidian.exe Token: SeCreatePagefilePrivilege 3672 Obsidian.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Obsidian.exedescription pid process target process PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 3836 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1516 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1516 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1872 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1872 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1704 3672 Obsidian.exe Obsidian.exe PID 3672 wrote to memory of 1704 3672 Obsidian.exe Obsidian.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1744 --field-trial-handle=1752,i,13709281562533688934,7357689577998162402,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:22⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --streaming-schemes=app --code-cache-schemes=app --mojo-platform-channel-handle=1816 --field-trial-handle=1752,i,13709281562533688934,7357689577998162402,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --streaming-schemes=app --code-cache-schemes=app --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2156 --field-trial-handle=1752,i,13709281562533688934,7357689577998162402,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1180 --field-trial-handle=1752,i,13709281562533688934,7357689577998162402,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
48B
MD5589117da020505f6f562908fabe591d2
SHA1a0cce386eb73ea88a961bc5541abd79adeb8e688
SHA256d0c1becea8d715e573a97da6d729102e0d1dc746b57ea7d0fb2636d048fc3056
SHA5122c8eaa7e3f6a5cbd80b592faa560bcf41562f00df48d8b96c770ca7f29fa563bf43e0fb48b6924fcd906c7f179ae17dbcdf6a68c7c3576f3b8bb85d3f1d27609
-
Filesize
144B
MD5638714fe95bc4bdd5446af9aaa8d3477
SHA19c93f0f64fa6263bbb3e0c3a4b2d593c4d8f76d6
SHA25627563c0bdcc83f7ea047c4531f65442fb857c7989b292a1b1190ed065b4aaa64
SHA5120d7e072eac008625599d00dc294ee3e57b108b84428c636f9c047e2000589550337c445c44e9870a0b17e8ff23db8a2c49a50387c2d629297be93ed261018299