Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe
Resource
win7-20240903-en
General
-
Target
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe
-
Size
1.8MB
-
MD5
34c7ab92d1a35ce4ba88bc394e2a25f2
-
SHA1
72cec5d2f3bcd4c72a8bac0824655446220d0cf7
-
SHA256
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476
-
SHA512
e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0
-
SSDEEP
49152:dWY7UJXY0VXFJPjp4r9XSafQW8JGdjJw6FBPx54R3PGCNf:fcT7pa9iafQpJGFJ1rstf
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 783b44f53c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b939a4f269.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 783b44f53c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 783b44f53c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b939a4f269.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b939a4f269.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exe783b44f53c.exeb939a4f269.exeecd7a7f447.exepid process 2856 svoutse.exe 1968 783b44f53c.exe 2108 b939a4f269.exe 660 ecd7a7f447.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 783b44f53c.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine b939a4f269.exe -
Loads dropped DLL 6 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exepid process 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 2856 svoutse.exe 2856 svoutse.exe 2856 svoutse.exe 2856 svoutse.exe 2856 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\b939a4f269.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\b939a4f269.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\ecd7a7f447.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exepid process 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 2856 svoutse.exe 1968 783b44f53c.exe 2108 b939a4f269.exe -
Drops file in Windows directory 1 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exeecd7a7f447.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 783b44f53c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b939a4f269.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecd7a7f447.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe783b44f53c.exeb939a4f269.exepid process 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 2856 svoutse.exe 1968 783b44f53c.exe 2108 b939a4f269.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exeecd7a7f447.exepid process 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
ecd7a7f447.exepid process 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe 660 ecd7a7f447.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exedescription pid process target process PID 2112 wrote to memory of 2856 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 2112 wrote to memory of 2856 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 2112 wrote to memory of 2856 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 2112 wrote to memory of 2856 2112 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 2856 wrote to memory of 1968 2856 svoutse.exe 783b44f53c.exe PID 2856 wrote to memory of 1968 2856 svoutse.exe 783b44f53c.exe PID 2856 wrote to memory of 1968 2856 svoutse.exe 783b44f53c.exe PID 2856 wrote to memory of 1968 2856 svoutse.exe 783b44f53c.exe PID 2856 wrote to memory of 2108 2856 svoutse.exe b939a4f269.exe PID 2856 wrote to memory of 2108 2856 svoutse.exe b939a4f269.exe PID 2856 wrote to memory of 2108 2856 svoutse.exe b939a4f269.exe PID 2856 wrote to memory of 2108 2856 svoutse.exe b939a4f269.exe PID 2856 wrote to memory of 660 2856 svoutse.exe ecd7a7f447.exe PID 2856 wrote to memory of 660 2856 svoutse.exe ecd7a7f447.exe PID 2856 wrote to memory of 660 2856 svoutse.exe ecd7a7f447.exe PID 2856 wrote to memory of 660 2856 svoutse.exe ecd7a7f447.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe"C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\1000026000\783b44f53c.exe"C:\Users\Admin\AppData\Roaming\1000026000\783b44f53c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\1000030001\b939a4f269.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\b939a4f269.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\1000033001\ecd7a7f447.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\ecd7a7f447.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD534c7ab92d1a35ce4ba88bc394e2a25f2
SHA172cec5d2f3bcd4c72a8bac0824655446220d0cf7
SHA2562202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476
SHA512e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0
-
Filesize
896KB
MD50df4978ab22502c7ae122ab13a255448
SHA1845169633a45d0bc64c4799c0b5118ce6148131f
SHA256e2a03fd46d56cb79ec4c0cbef9e6fe2bd3067418f81f77355c908cfeae03ee76
SHA512d1b2a6ac51348f698f4d06ba62be48150fc7e1c0fdb1a99853caf555c3afcf76eea26a5862768c54a113bef2d5ee84d8c5f49c1903fecc7e15ee0282b903a69a
-
Filesize
1.7MB
MD5c06c4e6ed6f4c67541e9cdacb508f653
SHA10a587b8151e8634a48dd686157b45a2e0477093c
SHA25675406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691
SHA51293f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440