Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-09-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe
Resource
win10v2004-20240802-en
General
-
Target
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe
-
Size
1.8MB
-
MD5
667ebda9be3da6ee8b9f1cc419d336ba
-
SHA1
fb42333e24aac8e4d2989950cae402d7960f69b1
-
SHA256
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
-
SHA512
aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c
-
SSDEEP
49152:pPfiL6HREBxRnthwen62ZVG2SKqe1p6PVYRZcotq:pPfc6HsJwC60G2SKV1kV4w
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exe295a9e1075.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 295a9e1075.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exe295a9e1075.exeaacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 295a9e1075.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 295a9e1075.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exesvoutse.exe295a9e1075.exepid process 3528 svoutse.exe 432 svoutse.exe 3128 svoutse.exe 2912 svoutse.exe 3984 295a9e1075.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exe295a9e1075.exeaacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine 295a9e1075.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\295a9e1075.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\295a9e1075.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exe295a9e1075.exepid process 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 3528 svoutse.exe 432 svoutse.exe 3128 svoutse.exe 2912 svoutse.exe 3984 295a9e1075.exe -
Drops file in Windows directory 1 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exedescription ioc process File created C:\Windows\Tasks\svoutse.job aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exe295a9e1075.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a9e1075.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
295a9e1075.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 295a9e1075.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 295a9e1075.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exe295a9e1075.exepid process 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 3528 svoutse.exe 3528 svoutse.exe 432 svoutse.exe 432 svoutse.exe 3128 svoutse.exe 3128 svoutse.exe 2912 svoutse.exe 2912 svoutse.exe 3984 295a9e1075.exe 3984 295a9e1075.exe 3984 295a9e1075.exe 3984 295a9e1075.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exedescription pid process target process PID 3452 wrote to memory of 3528 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 3452 wrote to memory of 3528 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 3452 wrote to memory of 3528 3452 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 3528 wrote to memory of 3984 3528 svoutse.exe 295a9e1075.exe PID 3528 wrote to memory of 3984 3528 svoutse.exe 295a9e1075.exe PID 3528 wrote to memory of 3984 3528 svoutse.exe 295a9e1075.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3984
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:432
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3128
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5667ebda9be3da6ee8b9f1cc419d336ba
SHA1fb42333e24aac8e4d2989950cae402d7960f69b1
SHA256aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
SHA512aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c
-
Filesize
1.7MB
MD5149b45108edafd5aeb601284e95bd25a
SHA15931cbd8c8c54eb6b37ce65a883197484bb3c7bd
SHA256ba2e11ad994e6e1eacc5c1f73c069d76cd37e4e70edfa0335a40f203f0aa9aa4
SHA512e54dde5ed774c40c8af8ead30225110b78c0e069e4f57a2ee81db53fa54ed124ab107047ce9e5851511e6a8a9e551fe698e575f335e1f7d60f1d7c49e4dabcd8
-
Filesize
1.3MB
MD5989f3827314b02ff50fb99669751e3f3
SHA1cbacdc6706b4e2bd385d656414f54f9c63324e02
SHA256be4ed50898d50f6624be400235c8ce49c2d7024d605bea8022a6d8f8b01a5681
SHA5127e158a0a839252b9d16519bc2c4ac49fb91ba188d01fc783e9db327fcde2155d9ac35777766d64733aa7767dee86f79edbb85915dd6a97224852f3248e6d1740