Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-09-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe
Resource
win10v2004-20240802-en
General
-
Target
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe
-
Size
1.8MB
-
MD5
e5153642206d3ff284fafb53afd9d545
-
SHA1
dd42dc65ffeeb5b4d6ee10a8aa100e9959b40831
-
SHA256
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380
-
SHA512
e1cd8150d522673e03e260d0ed4e7dc7313dbeb96e3adae6d0cf4dc5574ba8194509191a7be7009d43089955acb565145b0771a788698e5920a8d7610ab02e5a
-
SSDEEP
24576:RHi48nSVK4g4A63wZ/uX6x0gz5ElCOmJaeyegfgLuq+79EguZCnkjB33zdYnkbjT:RHUSY4Y63D+VEl7kXsB+CnkBnz1ew
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2f63b8cb0e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2f63b8cb0e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2f63b8cb0e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exe2f63b8cb0e.exesvoutse.exesvoutse.exepid process 1164 svoutse.exe 5100 2f63b8cb0e.exe 5592 svoutse.exe 5932 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exe3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine 2f63b8cb0e.exe Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\2f63b8cb0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\2f63b8cb0e.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exesvoutse.exesvoutse.exepid process 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe 1164 svoutse.exe 5100 2f63b8cb0e.exe 5592 svoutse.exe 5932 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f63b8cb0e.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exe2f63b8cb0e.exesvoutse.exesvoutse.exepid process 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe 1164 svoutse.exe 1164 svoutse.exe 5100 2f63b8cb0e.exe 5100 2f63b8cb0e.exe 5592 svoutse.exe 5592 svoutse.exe 5932 svoutse.exe 5932 svoutse.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exepid process 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exesvoutse.exedescription pid process target process PID 5356 wrote to memory of 1164 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe svoutse.exe PID 5356 wrote to memory of 1164 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe svoutse.exe PID 5356 wrote to memory of 1164 5356 3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe svoutse.exe PID 1164 wrote to memory of 5100 1164 svoutse.exe 2f63b8cb0e.exe PID 1164 wrote to memory of 5100 1164 svoutse.exe 2f63b8cb0e.exe PID 1164 wrote to memory of 5100 1164 svoutse.exe 2f63b8cb0e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe"C:\Users\Admin\AppData\Local\Temp\3da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\1000030001\2f63b8cb0e.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\2f63b8cb0e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5592
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57696fd52645fd5bde71ca7eb4b2fa935
SHA150fcab8ebe7f490596c51ceb520f6a972ccb790d
SHA25645bbfe6526c7aa0ac16355e301a467c2533bb1b2455dea1405deb80be734f990
SHA5121bd56f6e9d4c2c89b2ec3142762b50f9820a359e6f6f1143e769b67b878e24ac3c815ed79eb20e0ae556a2deda76a6ca7d49f2075ef6b905713019bc98fb7a82
-
Filesize
1.8MB
MD5e5153642206d3ff284fafb53afd9d545
SHA1dd42dc65ffeeb5b4d6ee10a8aa100e9959b40831
SHA2563da24db253cee5c79f2bd98fafa4020ebb705c22132ea5286e633089bc889380
SHA512e1cd8150d522673e03e260d0ed4e7dc7313dbeb96e3adae6d0cf4dc5574ba8194509191a7be7009d43089955acb565145b0771a788698e5920a8d7610ab02e5a