Malware Analysis Report

2024-10-19 09:07

Sample ID 240912-m4gyfasfrm
Target a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01
SHA256 a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01
Tags
amadey stealc c7817d rave discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01

Threat Level: Known bad

The file a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 11:00

Reported

2024-09-12 11:03

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\059b36f1fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\059b36f1fb.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2004 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2004 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4636 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 4636 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 4636 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 4636 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe
PID 4636 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe
PID 4636 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe

"C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe

"C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2004-0-0x00000000003D0000-0x0000000000887000-memory.dmp

memory/2004-1-0x00000000779E4000-0x00000000779E6000-memory.dmp

memory/2004-3-0x00000000003D0000-0x0000000000887000-memory.dmp

memory/2004-2-0x00000000003D1000-0x00000000003FF000-memory.dmp

memory/2004-4-0x00000000003D0000-0x0000000000887000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 f4768745a62490b6578c10126b6c2005
SHA1 d8b03b88c1eda8341c4e2cda45665a8ed93b7fe3
SHA256 a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01
SHA512 f92c634558f70087d996ed0f7717fe0078a9fec49728c77a8d0217ab361f9d68a1a0d5b20d5dcc035e540e4ccb939d49b395e18cd725d43ccf4432b6b18d37af

memory/4636-17-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/2004-16-0x00000000003D0000-0x0000000000887000-memory.dmp

memory/4636-19-0x0000000000A21000-0x0000000000A4F000-memory.dmp

memory/4636-20-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-21-0x0000000000A20000-0x0000000000ED7000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe

MD5 3a4b0ee4eaddda570dcd10b484bdc5ea
SHA1 86c58f079cecd74b000ebdefecd9e7b7b19c59c5
SHA256 299c378868c76048c26d0e279655c08305f0ce42e5582fe5005aae776d525a1b
SHA512 b16bb932ab542846303a961e2f0821059062ea6359d0db247ebedc071fa01220e2c141a58186c488b3abd5fad858a3df126ab3025f742572f0090dc1590cad17

memory/1384-37-0x0000000000F60000-0x00000000015E9000-memory.dmp

memory/1384-39-0x0000000000F60000-0x00000000015E9000-memory.dmp

memory/1384-38-0x0000000000F61000-0x0000000000F75000-memory.dmp

memory/4636-54-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/732-55-0x0000000000A40000-0x00000000010C9000-memory.dmp

memory/1384-58-0x0000000000F60000-0x00000000015E9000-memory.dmp

memory/4636-59-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/732-60-0x0000000000A40000-0x00000000010C9000-memory.dmp

memory/4636-61-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-62-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-63-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-64-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-65-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-66-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/3540-68-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-69-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-70-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-71-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-72-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-73-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-74-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/1216-76-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-77-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-78-0x0000000000A20000-0x0000000000ED7000-memory.dmp

memory/4636-79-0x0000000000A20000-0x0000000000ED7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 11:00

Reported

2024-09-12 11:03

Platform

win11-20240802-en

Max time kernel

142s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\059b36f1fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\059b36f1fb.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3588 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 3588 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 3588 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe
PID 3588 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe
PID 3588 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe
PID 3588 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe

"C:\Users\Admin\AppData\Local\Temp\a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe

"C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\059b36f1fb.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/784-0-0x0000000000A60000-0x0000000000F17000-memory.dmp

memory/784-1-0x0000000077EB6000-0x0000000077EB8000-memory.dmp

memory/784-2-0x0000000000A61000-0x0000000000A8F000-memory.dmp

memory/784-3-0x0000000000A60000-0x0000000000F17000-memory.dmp

memory/784-5-0x0000000000A60000-0x0000000000F17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 f4768745a62490b6578c10126b6c2005
SHA1 d8b03b88c1eda8341c4e2cda45665a8ed93b7fe3
SHA256 a417d715306c23502aeaa679833d5225f0614b2df99008dd38a3ca436bdd7c01
SHA512 f92c634558f70087d996ed0f7717fe0078a9fec49728c77a8d0217ab361f9d68a1a0d5b20d5dcc035e540e4ccb939d49b395e18cd725d43ccf4432b6b18d37af

memory/784-17-0x0000000000A60000-0x0000000000F17000-memory.dmp

memory/3588-18-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-20-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-19-0x0000000000431000-0x000000000045F000-memory.dmp

memory/3588-21-0x0000000000430000-0x00000000008E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\4e57743850.exe

MD5 3a4b0ee4eaddda570dcd10b484bdc5ea
SHA1 86c58f079cecd74b000ebdefecd9e7b7b19c59c5
SHA256 299c378868c76048c26d0e279655c08305f0ce42e5582fe5005aae776d525a1b
SHA512 b16bb932ab542846303a961e2f0821059062ea6359d0db247ebedc071fa01220e2c141a58186c488b3abd5fad858a3df126ab3025f742572f0090dc1590cad17

memory/1484-37-0x0000000000840000-0x0000000000EC9000-memory.dmp

memory/1484-46-0x0000000005450000-0x0000000005451000-memory.dmp

memory/1484-47-0x0000000000841000-0x0000000000855000-memory.dmp

memory/4436-55-0x0000000000800000-0x0000000000E89000-memory.dmp

memory/1484-57-0x0000000000840000-0x0000000000EC9000-memory.dmp

memory/4436-59-0x0000000000800000-0x0000000000E89000-memory.dmp

memory/3588-60-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-61-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-62-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-63-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-64-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-65-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-66-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/1332-68-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/1332-70-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-71-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-72-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-73-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-74-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-75-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-76-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/2424-78-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-79-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-80-0x0000000000430000-0x00000000008E7000-memory.dmp

memory/3588-81-0x0000000000430000-0x00000000008E7000-memory.dmp