Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
Resource
win7-20240903-en
General
-
Target
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
-
Size
1.8MB
-
MD5
d5fcf8cf3ca99a694ee9b8a97776e64a
-
SHA1
07542ce45f902bdc773702e17621cc600d3df50b
-
SHA256
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
-
SHA512
90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
SSDEEP
49152:Bjnly4R2PVRilKbs9cRs+Ams7U9N2hk1:BjljR2dol0sMfzKhk1
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.exec31a627e9f.exe759b53f3ac.exepid process 2336 svoutse.exe 772 c31a627e9f.exe 2812 759b53f3ac.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine svoutse.exe -
Loads dropped DLL 4 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exepid process 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2336 svoutse.exe 2336 svoutse.exe 2336 svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c31a627e9f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c31a627e9f.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\759b53f3ac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\759b53f3ac.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\759b53f3ac.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exepid process 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2336 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exedescription ioc process File created C:\Windows\Tasks\svoutse.job c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exec31a627e9f.exe759b53f3ac.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c31a627e9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 759b53f3ac.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exepid process 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2336 svoutse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe759b53f3ac.exepid process 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
759b53f3ac.exepid process 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe 2812 759b53f3ac.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription pid process target process PID 3020 wrote to memory of 2336 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 3020 wrote to memory of 2336 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 3020 wrote to memory of 2336 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 3020 wrote to memory of 2336 3020 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 2336 wrote to memory of 772 2336 svoutse.exe c31a627e9f.exe PID 2336 wrote to memory of 772 2336 svoutse.exe c31a627e9f.exe PID 2336 wrote to memory of 772 2336 svoutse.exe c31a627e9f.exe PID 2336 wrote to memory of 772 2336 svoutse.exe c31a627e9f.exe PID 2336 wrote to memory of 2812 2336 svoutse.exe 759b53f3ac.exe PID 2336 wrote to memory of 2812 2336 svoutse.exe 759b53f3ac.exe PID 2336 wrote to memory of 2812 2336 svoutse.exe 759b53f3ac.exe PID 2336 wrote to memory of 2812 2336 svoutse.exe 759b53f3ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\1000030001\c31a627e9f.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\c31a627e9f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\1000036001\759b53f3ac.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\759b53f3ac.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
64KB
MD589de2271395cf03d243a477da4278b01
SHA1da2b50fd12429b35a00f791811610684dfaa466b
SHA25637a89d7f97064569f9fb537ac04b66bbb9ec4e959711c4f3c5837b78b492cafa
SHA512baeacb60248ef4d85acc25a284a237964f43433e5a59bbbfc4aef449bc5b71830bc3cf5d77d374d2a3b85afb8833e4a83f139a396ac111e9009285bea5ffb77a
-
Filesize
1.8MB
MD5d5fcf8cf3ca99a694ee9b8a97776e64a
SHA107542ce45f902bdc773702e17621cc600d3df50b
SHA256c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA51290da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e