Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe
Resource
win7-20240903-en
General
-
Target
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe
-
Size
1.8MB
-
MD5
b6a1d5e330810ef9470b06cf58a9ff36
-
SHA1
386658f0a415ef445052be60c8af53b1a8f06bbe
-
SHA256
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3
-
SHA512
fba6477b755051530f85b62767d37e818bfd74ae5614d44d572d7d10d15cfeb468b994383b13e2099222d2b193943327da07a613c305cdb94763ace30b6610a8
-
SSDEEP
24576:GwGCvqvONhfHbRaFxu6waFZVM4vCpV9UKVUewB2fNOlK+3rVhO3YDUPIUV7Zc4DT:GwTy2xRaeaFY/9UZJ8eJwoIgM7iEuy
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exed1abf106e8.exe67ca6fcd1a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d1abf106e8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 67ca6fcd1a.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exed1abf106e8.exe67ca6fcd1a.exe490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d1abf106e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d1abf106e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 67ca6fcd1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 67ca6fcd1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exed1abf106e8.exe67ca6fcd1a.exe6fecfc73f1.exepid process 2812 svoutse.exe 2712 d1abf106e8.exe 952 67ca6fcd1a.exe 1712 6fecfc73f1.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exed1abf106e8.exe67ca6fcd1a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine d1abf106e8.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 67ca6fcd1a.exe -
Loads dropped DLL 6 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exepid process 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe 2812 svoutse.exe 2812 svoutse.exe 2812 svoutse.exe 2812 svoutse.exe 2812 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\67ca6fcd1a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\67ca6fcd1a.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\6fecfc73f1.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exed1abf106e8.exe67ca6fcd1a.exepid process 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe 2812 svoutse.exe 2712 d1abf106e8.exe 952 67ca6fcd1a.exe -
Drops file in Windows directory 1 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exed1abf106e8.exe67ca6fcd1a.exe6fecfc73f1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1abf106e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67ca6fcd1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fecfc73f1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exed1abf106e8.exe67ca6fcd1a.exepid process 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe 2812 svoutse.exe 2712 d1abf106e8.exe 952 67ca6fcd1a.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe6fecfc73f1.exepid process 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
6fecfc73f1.exepid process 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe 1712 6fecfc73f1.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exesvoutse.exedescription pid process target process PID 1680 wrote to memory of 2812 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe svoutse.exe PID 1680 wrote to memory of 2812 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe svoutse.exe PID 1680 wrote to memory of 2812 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe svoutse.exe PID 1680 wrote to memory of 2812 1680 490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe svoutse.exe PID 2812 wrote to memory of 2712 2812 svoutse.exe d1abf106e8.exe PID 2812 wrote to memory of 2712 2812 svoutse.exe d1abf106e8.exe PID 2812 wrote to memory of 2712 2812 svoutse.exe d1abf106e8.exe PID 2812 wrote to memory of 2712 2812 svoutse.exe d1abf106e8.exe PID 2812 wrote to memory of 952 2812 svoutse.exe 67ca6fcd1a.exe PID 2812 wrote to memory of 952 2812 svoutse.exe 67ca6fcd1a.exe PID 2812 wrote to memory of 952 2812 svoutse.exe 67ca6fcd1a.exe PID 2812 wrote to memory of 952 2812 svoutse.exe 67ca6fcd1a.exe PID 2812 wrote to memory of 1712 2812 svoutse.exe 6fecfc73f1.exe PID 2812 wrote to memory of 1712 2812 svoutse.exe 6fecfc73f1.exe PID 2812 wrote to memory of 1712 2812 svoutse.exe 6fecfc73f1.exe PID 2812 wrote to memory of 1712 2812 svoutse.exe 6fecfc73f1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe"C:\Users\Admin\AppData\Local\Temp\490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\1000026000\d1abf106e8.exe"C:\Users\Admin\AppData\Roaming\1000026000\d1abf106e8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\1000030001\67ca6fcd1a.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\67ca6fcd1a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Users\Admin\AppData\Local\Temp\1000033001\6fecfc73f1.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\6fecfc73f1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5b6a1d5e330810ef9470b06cf58a9ff36
SHA1386658f0a415ef445052be60c8af53b1a8f06bbe
SHA256490c24efe5ee7485a135c0f185fdd9f44ecc0403a20cba3970adddd5f2d973a3
SHA512fba6477b755051530f85b62767d37e818bfd74ae5614d44d572d7d10d15cfeb468b994383b13e2099222d2b193943327da07a613c305cdb94763ace30b6610a8
-
Filesize
896KB
MD50df4978ab22502c7ae122ab13a255448
SHA1845169633a45d0bc64c4799c0b5118ce6148131f
SHA256e2a03fd46d56cb79ec4c0cbef9e6fe2bd3067418f81f77355c908cfeae03ee76
SHA512d1b2a6ac51348f698f4d06ba62be48150fc7e1c0fdb1a99853caf555c3afcf76eea26a5862768c54a113bef2d5ee84d8c5f49c1903fecc7e15ee0282b903a69a
-
Filesize
1.7MB
MD5c06c4e6ed6f4c67541e9cdacb508f653
SHA10a587b8151e8634a48dd686157b45a2e0477093c
SHA25675406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691
SHA51293f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440