Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe
Resource
win7-20240903-en
General
-
Target
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe
-
Size
1.8MB
-
MD5
82ddd34be23d13d4fe950d51df9f1a9a
-
SHA1
5518b021fa41c05fd6031ff377331c718c458ae3
-
SHA256
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
-
SHA512
29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1
-
SSDEEP
49152:WX+klqZySQ0gltPWH21lgbBteJWvd/zDcl2d+jE6d:ClqYkgltg21l4OJWl/zDq2dbE
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exe1375b4cd3f.exeb6125cf398.exe6ce1ebb464.exepid process 2924 svoutse.exe 2288 1375b4cd3f.exe 652 b6125cf398.exe 1572 6ce1ebb464.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine svoutse.exe -
Loads dropped DLL 6 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exepid process 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 2924 svoutse.exe 2924 svoutse.exe 2924 svoutse.exe 2924 svoutse.exe 2924 svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\6ce1ebb464.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\6ce1ebb464.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6125cf398.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\b6125cf398.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exepid process 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 2924 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b6125cf398.exe454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exe1375b4cd3f.exe6ce1ebb464.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6125cf398.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1375b4cd3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ce1ebb464.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exepid process 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 2924 svoutse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe6ce1ebb464.exepid process 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
6ce1ebb464.exepid process 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe 1572 6ce1ebb464.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exedescription pid process target process PID 1848 wrote to memory of 2924 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 1848 wrote to memory of 2924 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 1848 wrote to memory of 2924 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 1848 wrote to memory of 2924 1848 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 2924 wrote to memory of 2288 2924 svoutse.exe 1375b4cd3f.exe PID 2924 wrote to memory of 2288 2924 svoutse.exe 1375b4cd3f.exe PID 2924 wrote to memory of 2288 2924 svoutse.exe 1375b4cd3f.exe PID 2924 wrote to memory of 2288 2924 svoutse.exe 1375b4cd3f.exe PID 2924 wrote to memory of 652 2924 svoutse.exe b6125cf398.exe PID 2924 wrote to memory of 652 2924 svoutse.exe b6125cf398.exe PID 2924 wrote to memory of 652 2924 svoutse.exe b6125cf398.exe PID 2924 wrote to memory of 652 2924 svoutse.exe b6125cf398.exe PID 2924 wrote to memory of 1572 2924 svoutse.exe 6ce1ebb464.exe PID 2924 wrote to memory of 1572 2924 svoutse.exe 6ce1ebb464.exe PID 2924 wrote to memory of 1572 2924 svoutse.exe 6ce1ebb464.exe PID 2924 wrote to memory of 1572 2924 svoutse.exe 6ce1ebb464.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe"C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:652 -
C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD582ddd34be23d13d4fe950d51df9f1a9a
SHA15518b021fa41c05fd6031ff377331c718c458ae3
SHA256454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
SHA51229d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e