Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
Resource
win7-20240903-en
General
-
Target
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
-
Size
1.8MB
-
MD5
30ac84841a731fa47a3ce25033db8449
-
SHA1
7c2c107362576bd653e0dc6f96be4d7295d70889
-
SHA256
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
-
SHA512
d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f
-
SSDEEP
49152:g5kAmXhdOEgEjSVfpIfEA9fXK92mGWuYn7KU5:gW/sVsdWLnGU
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exe9542106407.exee94896403d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9542106407.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e94896403d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exe9542106407.exee94896403d.exe07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9542106407.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9542106407.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e94896403d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e94896403d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exe9542106407.exee94896403d.exee94896403d.exepid process 2680 svoutse.exe 2296 9542106407.exe 2808 e94896403d.exe 2528 e94896403d.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exe9542106407.exee94896403d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 9542106407.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine e94896403d.exe -
Loads dropped DLL 6 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exepid process 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 2680 svoutse.exe 2680 svoutse.exe 2680 svoutse.exe 2680 svoutse.exe 2680 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\e94896403d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e94896403d.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\e94896403d.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exe9542106407.exee94896403d.exepid process 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 2680 svoutse.exe 2296 9542106407.exe 2808 e94896403d.exe -
Drops file in Windows directory 1 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exe9542106407.exee94896403d.exee94896403d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9542106407.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e94896403d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e94896403d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exe9542106407.exee94896403d.exepid process 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 2680 svoutse.exe 2296 9542106407.exe 2808 e94896403d.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exee94896403d.exepid process 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
e94896403d.exepid process 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe 2528 e94896403d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exedescription pid process target process PID 2672 wrote to memory of 2680 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 2672 wrote to memory of 2680 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 2672 wrote to memory of 2680 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 2672 wrote to memory of 2680 2672 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 2680 wrote to memory of 2296 2680 svoutse.exe 9542106407.exe PID 2680 wrote to memory of 2296 2680 svoutse.exe 9542106407.exe PID 2680 wrote to memory of 2296 2680 svoutse.exe 9542106407.exe PID 2680 wrote to memory of 2296 2680 svoutse.exe 9542106407.exe PID 2680 wrote to memory of 2808 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2808 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2808 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2808 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2528 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2528 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2528 2680 svoutse.exe e94896403d.exe PID 2680 wrote to memory of 2528 2680 svoutse.exe e94896403d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\1000026000\9542106407.exe"C:\Users\Admin\AppData\Roaming\1000026000\9542106407.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\1000030001\e94896403d.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e94896403d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\1000033001\e94896403d.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\e94896403d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD5af850fd36ef4f28bd1c92fd30feec5d1
SHA15854cc232850fe8ce0d475c51ec14bf8e0f761ad
SHA2567605e6672cf788c7e666ce3855dad7a0aa7f69cff512ff22105ea3f189c2c382
SHA512dd4c84e6b632058596207a5fbe675765c638b6fb0cf2d274ab387936d581153247b6e1ed51e746f87895489cd9a6d43913d38aec24e338de27034604505239f6
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493
-
Filesize
1.8MB
MD530ac84841a731fa47a3ce25033db8449
SHA17c2c107362576bd653e0dc6f96be4d7295d70889
SHA25607669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
SHA512d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f