Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 15:37
Static task
static1
Behavioral task
behavioral1
Sample
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
Resource
win7-20240729-en
General
-
Target
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
-
Size
1.8MB
-
MD5
d5fcf8cf3ca99a694ee9b8a97776e64a
-
SHA1
07542ce45f902bdc773702e17621cc600d3df50b
-
SHA256
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
-
SHA512
90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
SSDEEP
49152:Bjnly4R2PVRilKbs9cRs+Ams7U9N2hk1:BjljR2dol0sMfzKhk1
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe03ba3e42c0.exe578cfbf4fd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 03ba3e42c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 578cfbf4fd.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
03ba3e42c0.exe578cfbf4fd.exec583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 03ba3e42c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 03ba3e42c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 578cfbf4fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 578cfbf4fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exe03ba3e42c0.exe578cfbf4fd.exe055c74b852.exepid process 2788 svoutse.exe 2820 03ba3e42c0.exe 2852 578cfbf4fd.exe 768 055c74b852.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe03ba3e42c0.exe578cfbf4fd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 03ba3e42c0.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 578cfbf4fd.exe -
Loads dropped DLL 6 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exepid process 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2788 svoutse.exe 2788 svoutse.exe 2788 svoutse.exe 2788 svoutse.exe 2788 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\578cfbf4fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\578cfbf4fd.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe03ba3e42c0.exe578cfbf4fd.exepid process 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2788 svoutse.exe 2820 03ba3e42c0.exe 2852 578cfbf4fd.exe -
Drops file in Windows directory 1 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exedescription ioc process File created C:\Windows\Tasks\svoutse.job c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe03ba3e42c0.exe578cfbf4fd.exe055c74b852.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03ba3e42c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 578cfbf4fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 055c74b852.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe03ba3e42c0.exe578cfbf4fd.exepid process 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2788 svoutse.exe 2820 03ba3e42c0.exe 2852 578cfbf4fd.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe055c74b852.exepid process 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
055c74b852.exepid process 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe 768 055c74b852.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription pid process target process PID 2340 wrote to memory of 2788 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 2340 wrote to memory of 2788 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 2340 wrote to memory of 2788 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 2340 wrote to memory of 2788 2340 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 2788 wrote to memory of 2820 2788 svoutse.exe 03ba3e42c0.exe PID 2788 wrote to memory of 2820 2788 svoutse.exe 03ba3e42c0.exe PID 2788 wrote to memory of 2820 2788 svoutse.exe 03ba3e42c0.exe PID 2788 wrote to memory of 2820 2788 svoutse.exe 03ba3e42c0.exe PID 2788 wrote to memory of 2852 2788 svoutse.exe 578cfbf4fd.exe PID 2788 wrote to memory of 2852 2788 svoutse.exe 578cfbf4fd.exe PID 2788 wrote to memory of 2852 2788 svoutse.exe 578cfbf4fd.exe PID 2788 wrote to memory of 2852 2788 svoutse.exe 578cfbf4fd.exe PID 2788 wrote to memory of 768 2788 svoutse.exe 055c74b852.exe PID 2788 wrote to memory of 768 2788 svoutse.exe 055c74b852.exe PID 2788 wrote to memory of 768 2788 svoutse.exe 055c74b852.exe PID 2788 wrote to memory of 768 2788 svoutse.exe 055c74b852.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe"C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d5fcf8cf3ca99a694ee9b8a97776e64a
SHA107542ce45f902bdc773702e17621cc600d3df50b
SHA256c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA51290da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
Filesize
896KB
MD52801358ac519754c48b748365a57fdc0
SHA1c8e7b39b9172409eabcabe54b2a224d1a24e328a
SHA256563f6936421d587af73cab59d466deb7bfe961fd7bb119b3366f20bb5be45915
SHA5122b21599bd4d9035e3b2c367342c824c52133c28e0b4103ce1bd5933bc15b6380d56a694fa97fad973fe2b8a37115b3cbb9ab4a5c13fabd76a6c750e97d04c2db
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493