Malware Analysis Report

2024-10-19 09:07

Sample ID 240912-pe99ssvbqj
Target 104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98
SHA256 104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98
Tags
amadey stealc c7817d rave discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98

Threat Level: Known bad

The file 104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 12:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 12:15

Reported

2024-09-12 12:18

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\595b2ff33a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\595b2ff33a.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1400 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1400 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4004 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe
PID 4004 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe
PID 4004 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe
PID 4004 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe
PID 4004 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe
PID 4004 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe

"C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe

"C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\595b2ff33a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/1400-0-0x0000000000AD0000-0x0000000000F91000-memory.dmp

memory/1400-1-0x0000000077764000-0x0000000077766000-memory.dmp

memory/1400-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

memory/1400-3-0x0000000000AD0000-0x0000000000F91000-memory.dmp

memory/1400-4-0x0000000000AD0000-0x0000000000F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 c92d6ea298638980db4afcafbb131896
SHA1 4bd6bffc6ddcc9c74559819e97718af65fca7420
SHA256 104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98
SHA512 53d7df3d852b30a3a01e979545a31144c202d4e806dc38d74b3178bc952d721f5d087eb7a476c778e19931c46a60385862f9787ec8f30aea9b450040f80a086c

memory/4004-16-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/1400-17-0x0000000000AD0000-0x0000000000F91000-memory.dmp

memory/4004-19-0x00000000002B1000-0x00000000002DF000-memory.dmp

memory/4004-20-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-21-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-22-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-23-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/2672-25-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/2672-26-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/2672-27-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/2672-29-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-30-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-31-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-32-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-33-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-34-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4456-37-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-36-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4456-39-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-40-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-41-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-42-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-43-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4004-44-0x00000000002B0000-0x0000000000771000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe

MD5 3a4b0ee4eaddda570dcd10b484bdc5ea
SHA1 86c58f079cecd74b000ebdefecd9e7b7b19c59c5
SHA256 299c378868c76048c26d0e279655c08305f0ce42e5582fe5005aae776d525a1b
SHA512 b16bb932ab542846303a961e2f0821059062ea6359d0db247ebedc071fa01220e2c141a58186c488b3abd5fad858a3df126ab3025f742572f0090dc1590cad17

memory/2884-60-0x0000000000940000-0x0000000000FC9000-memory.dmp

memory/3456-76-0x0000000000410000-0x0000000000A99000-memory.dmp

memory/2884-77-0x0000000000940000-0x0000000000FC9000-memory.dmp

memory/4004-79-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/4164-80-0x00000000002B0000-0x0000000000771000-memory.dmp

memory/3456-81-0x0000000000410000-0x0000000000A99000-memory.dmp

memory/4004-82-0x00000000002B0000-0x0000000000771000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 12:15

Reported

2024-09-12 12:18

Platform

win11-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\c29297bfe3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c29297bfe3.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe

"C:\Users\Admin\AppData\Local\Temp\104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/3184-0-0x0000000000430000-0x00000000008F1000-memory.dmp

memory/3184-1-0x0000000077C96000-0x0000000077C98000-memory.dmp

memory/3184-2-0x0000000000431000-0x000000000045F000-memory.dmp

memory/3184-3-0x0000000000430000-0x00000000008F1000-memory.dmp

memory/3184-5-0x0000000000430000-0x00000000008F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 c92d6ea298638980db4afcafbb131896
SHA1 4bd6bffc6ddcc9c74559819e97718af65fca7420
SHA256 104f14410ec272aa2ce4bba46c26f2668ecf3ad8fa8c97084bd4a3694a737f98
SHA512 53d7df3d852b30a3a01e979545a31144c202d4e806dc38d74b3178bc952d721f5d087eb7a476c778e19931c46a60385862f9787ec8f30aea9b450040f80a086c

memory/3184-18-0x0000000000430000-0x00000000008F1000-memory.dmp

memory/1412-15-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-19-0x0000000000B61000-0x0000000000B8F000-memory.dmp

memory/1412-20-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-21-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-22-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-23-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-24-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-25-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/816-28-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/816-29-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/816-30-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/816-32-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-33-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-34-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-35-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-36-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-37-0x0000000000B60000-0x0000000001021000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\d90cece9da.exe

MD5 ef5e1fef3600e27715ba195c03124f43
SHA1 64e1d848d06befa81be7890a4667854b68b1985e
SHA256 c4a13dc82d8f58cc444d38aa659be8e388dfd6b90c3bb29f95b57247e8595346
SHA512 3181987c5559da2f72ee41bd61af6c5698ffd90e73fc641e7b161fa3a0724efdee47e78f426b911bbef79f9cc13b9d66e32c32a5f4f787210dc113bcd79b3cea

memory/1412-52-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/4332-55-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-56-0x0000000000B60000-0x0000000001021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030001\c29297bfe3.exe

MD5 3a4b0ee4eaddda570dcd10b484bdc5ea
SHA1 86c58f079cecd74b000ebdefecd9e7b7b19c59c5
SHA256 299c378868c76048c26d0e279655c08305f0ce42e5582fe5005aae776d525a1b
SHA512 b16bb932ab542846303a961e2f0821059062ea6359d0db247ebedc071fa01220e2c141a58186c488b3abd5fad858a3df126ab3025f742572f0090dc1590cad17

memory/5052-73-0x00000000008A0000-0x0000000000F29000-memory.dmp

memory/5052-74-0x00000000008A0000-0x0000000000F29000-memory.dmp

memory/1412-75-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-76-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-77-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-78-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-79-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/4268-81-0x0000000000B60000-0x0000000001021000-memory.dmp

memory/1412-82-0x0000000000B60000-0x0000000001021000-memory.dmp