a5f647be9200c9cd82fd0bdd8b86fa6a8ed958fbc7e1651ea7e921c282a17f1f

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obsidian.exe
Size

168.6MB
MD5

6b3e671d285ce41b4cffce8801e33823
SHA1

1b498e965ef09e49432c247d2797de6530991a19
SHA256

2156f15d12da8cc292fe0cc1884f32410fa187fede67beb6102cfcdc6442fbe2
SHA512

55826ccafe3c762f14b87c3e35b24f209f13acef7c3012c6ccdd99da0ca8fdbacd863ad5e59eb58dfffd1a7f861569275905257792b89170be726cd02ce87b91
SSDEEP

1572864:+lQpYev78Sb44qXDyALwp/bOrCDvQSTDlsySb65hutPJEfZMq38H6m/02km5p+Wr:8eHpSGDqMnyiL0Kc

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Obsidian.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Obsidian.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\shell	Obsidian.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\shell\open	Obsidian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Obsidian.exe\" \"%1\""	Obsidian.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian	Obsidian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\URL Protocol	Obsidian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\ = "URL:obsidian"	Obsidian.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\obsidian\shell\open\command	Obsidian.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe
Token: SeShutdownPrivilege	2396	Obsidian.exe
Token: SeCreatePagefilePrivilege	2396	Obsidian.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 2928	2396	Obsidian.exe	87
PID 2396 wrote to memory of 3788	2396	Obsidian.exe	88
PID 2396 wrote to memory of 3788	2396	Obsidian.exe	88
PID 2396 wrote to memory of 3888	2396	Obsidian.exe	89
PID 2396 wrote to memory of 3888	2396	Obsidian.exe	89
PID 2396 wrote to memory of 2468	2396	Obsidian.exe	103
PID 2396 wrote to memory of 2468	2396	Obsidian.exe	103

C:\Users\Admin\AppData\Local\Temp\Obsidian.exe
"C:\Users\Admin\AppData\Local\Temp\Obsidian.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\Obsidian.exe
  "C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,6940818586933055406,14440569876139687585,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\Obsidian.exe
  "C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --streaming-schemes=app --code-cache-schemes=app --field-trial-handle=2176,i,6940818586933055406,14440569876139687585,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:3788
- C:\Users\Admin\AppData\Local\Temp\Obsidian.exe
  "C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --streaming-schemes=app --code-cache-schemes=app --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2464,i,6940818586933055406,14440569876139687585,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3888
- C:\Users\Admin\AppData\Local\Temp\Obsidian.exe
  "C:\Users\Admin\AppData\Local\Temp\Obsidian.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\obsidian" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3172,i,6940818586933055406,14440569876139687585,262144 --enable-features=SharedArrayBuffer,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1188 /prefetch:8
  2⤵
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obsidian\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
37ee1ac140ebec8ca0c423c6304b512d

SHA1
5819fd566b6e5574b1a75ea9ae966ceed0fe9461

SHA256
8c016eaea6abd22595ef9a485ddc35352adb1e1b74dbcf4b3b73402fb1391041

SHA512
ac335e5d707f6ac04bea379cc755eefa65cb3b00aa7b2208dff70ae84f82ab65b18771348575de8f682b7f39bc5bf50df7c93d4d0336b36d2149e20b9cf3b0a9

Download Submit
C:\Users\Admin\AppData\Roaming\obsidian\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
17449e76449d9326dfa5aef3419bbc5a

SHA1
fe5a789cdd79266c7a159ebae087b67a90b2ccb6

SHA256
ae5ea6e240c668ed10c40475bbe21e9126edf1e6cc5bcc7b2f114858b85e46d8

SHA512
a76efdf768241d4d63b64e47928923aed1eec1bdf919d66b38b67ae21aa80e7cb2436dce6783d08cf7b53319a73897c7cf1b59b61a9ad0388a99fa6b37dce03e

Download Submit
C:\Users\Admin\AppData\Roaming\obsidian\Network\Network Persistent State

Filesize
469B

MD5
ef6c28a3229f80a0ceb7b6a82c1d94b0

SHA1
993408ad12aa28680ce82c4b1c11d18bb26fb49a

SHA256
47842f9d0a6f6f84ba47b9bfe29dbbf174dab805569e9c3efee3e857e3601391

SHA512
c39154c9d2faf7aacb8736396a12ccb350185d73730f2ee495ccc93e8af77c0025451c649074d62caf78c221c61f455379766c682b779b05b8b64d7902d25ad8

Download Submit
C:\Users\Admin\AppData\Roaming\obsidian\Network\Network Persistent State~RFe589fd5.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit