Analysis
-
max time kernel
1s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
7583f2c05935728d457b529dafe57880N.exe
Resource
win7-20240903-en
General
-
Target
7583f2c05935728d457b529dafe57880N.exe
-
Size
1.8MB
-
MD5
7583f2c05935728d457b529dafe57880
-
SHA1
f8a2e4364c2b39b8d4b5c6d9bbe6af26b269cae1
-
SHA256
aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc
-
SHA512
ddcfde847c7cd88087e155f4bb229870344db0f27aedfbc38edcf3d8637fbf94d8e934ff036193bd510bb0567a4ceba6ba80317c4ecd08ca9728178e6a5c3da5
-
SSDEEP
49152:MF4N7TzxpGia1JnSJ9IfXsURQrL0uq8twjnkoDvpx:MEzxQZCIfsU2L0uBtUkIvv
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
svoutse.exe7583f2c05935728d457b529dafe57880N.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7583f2c05935728d457b529dafe57880N.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7583f2c05935728d457b529dafe57880N.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7583f2c05935728d457b529dafe57880N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7583f2c05935728d457b529dafe57880N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 1 IoCs
Processes:
svoutse.exepid process 2744 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7583f2c05935728d457b529dafe57880N.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 7583f2c05935728d457b529dafe57880N.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine svoutse.exe -
Loads dropped DLL 1 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exepid process 2024 7583f2c05935728d457b529dafe57880N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exesvoutse.exepid process 2024 7583f2c05935728d457b529dafe57880N.exe 2744 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 7583f2c05935728d457b529dafe57880N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7583f2c05935728d457b529dafe57880N.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7583f2c05935728d457b529dafe57880N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exesvoutse.exepid process 2024 7583f2c05935728d457b529dafe57880N.exe 2744 svoutse.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exepid process 2024 7583f2c05935728d457b529dafe57880N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7583f2c05935728d457b529dafe57880N.exedescription pid process target process PID 2024 wrote to memory of 2744 2024 7583f2c05935728d457b529dafe57880N.exe svoutse.exe PID 2024 wrote to memory of 2744 2024 7583f2c05935728d457b529dafe57880N.exe svoutse.exe PID 2024 wrote to memory of 2744 2024 7583f2c05935728d457b529dafe57880N.exe svoutse.exe PID 2024 wrote to memory of 2744 2024 7583f2c05935728d457b529dafe57880N.exe svoutse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57583f2c05935728d457b529dafe57880
SHA1f8a2e4364c2b39b8d4b5c6d9bbe6af26b269cae1
SHA256aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc
SHA512ddcfde847c7cd88087e155f4bb229870344db0f27aedfbc38edcf3d8637fbf94d8e934ff036193bd510bb0567a4ceba6ba80317c4ecd08ca9728178e6a5c3da5