Analysis Overview
SHA256
ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884
Threat Level: Known bad
The file ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884 was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Identifies Wine through registry keys
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-13 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-13 03:02
Reported
2024-09-13 03:05
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
113s
Command Line
Signatures
Amadey
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40d66587db.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\40d66587db.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe
"C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe
"C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe"
C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\40d66587db.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4708-0-0x0000000000CF0000-0x000000000119B000-memory.dmp
memory/4708-1-0x00000000773E4000-0x00000000773E6000-memory.dmp
memory/4708-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp
memory/4708-3-0x0000000000CF0000-0x000000000119B000-memory.dmp
memory/4708-4-0x0000000000CF0000-0x000000000119B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
| MD5 | 235e3c9d8ccd2ce95aeca8a1ff1396ea |
| SHA1 | 3938efcf02c06641867ed815a237e919ad30b0af |
| SHA256 | ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884 |
| SHA512 | 488f497d0d28b40a23f37293931c8edf2812e1e9a817f2da281fbda337e6c6ed4cd5d2e08a2cb8a95aadc1b5fdb870a9dc482acf5c4ff7b12e14566fe4f6d0a4 |
memory/4708-17-0x0000000000CF0000-0x000000000119B000-memory.dmp
memory/2056-18-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-19-0x0000000000E31000-0x0000000000E5F000-memory.dmp
memory/2056-20-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-21-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-22-0x0000000000E30000-0x00000000012DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000026000\17ea841b71.exe
| MD5 | 7696fd52645fd5bde71ca7eb4b2fa935 |
| SHA1 | 50fcab8ebe7f490596c51ceb520f6a972ccb790d |
| SHA256 | 45bbfe6526c7aa0ac16355e301a467c2533bb1b2455dea1405deb80be734f990 |
| SHA512 | 1bd56f6e9d4c2c89b2ec3142762b50f9820a359e6f6f1143e769b67b878e24ac3c815ed79eb20e0ae556a2deda76a6ca7d49f2075ef6b905713019bc98fb7a82 |
memory/4396-38-0x0000000000150000-0x00000000007C2000-memory.dmp
memory/4496-54-0x0000000000610000-0x0000000000C82000-memory.dmp
memory/4396-55-0x0000000000151000-0x0000000000165000-memory.dmp
memory/4396-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2056-73-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2216-74-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2216-83-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-97-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-104-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/4396-105-0x0000000000150000-0x00000000007C2000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4496-130-0x0000000000610000-0x0000000000C82000-memory.dmp
memory/4396-131-0x0000000000150000-0x00000000007C2000-memory.dmp
memory/4496-132-0x0000000000610000-0x0000000000C82000-memory.dmp
memory/4496-133-0x0000000000610000-0x0000000000C82000-memory.dmp
memory/2056-134-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-135-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-136-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-137-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-138-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/412-140-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/412-142-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-143-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-144-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-145-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-146-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-147-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-148-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2312-151-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-152-0x0000000000E30000-0x00000000012DB000-memory.dmp
memory/2056-153-0x0000000000E30000-0x00000000012DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-13 03:02
Reported
2024-09-13 03:05
Platform
win11-20240802-en
Max time kernel
142s
Max time network
116s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa65628411.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\aa65628411.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe
"C:\Users\Admin\AppData\Local\Temp\ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe
"C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe"
C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\aa65628411.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
Files
memory/2076-0-0x0000000000EB0000-0x000000000135B000-memory.dmp
memory/2076-1-0x00000000770B6000-0x00000000770B8000-memory.dmp
memory/2076-2-0x0000000000EB1000-0x0000000000EDF000-memory.dmp
memory/2076-3-0x0000000000EB0000-0x000000000135B000-memory.dmp
memory/2076-4-0x0000000000EB0000-0x000000000135B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
| MD5 | 235e3c9d8ccd2ce95aeca8a1ff1396ea |
| SHA1 | 3938efcf02c06641867ed815a237e919ad30b0af |
| SHA256 | ead6067f90a3f1018b6986d1a99f5e57222324f4fe892756c7547603cf79e884 |
| SHA512 | 488f497d0d28b40a23f37293931c8edf2812e1e9a817f2da281fbda337e6c6ed4cd5d2e08a2cb8a95aadc1b5fdb870a9dc482acf5c4ff7b12e14566fe4f6d0a4 |
memory/2076-17-0x0000000000EB0000-0x000000000135B000-memory.dmp
memory/4276-18-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-19-0x0000000000441000-0x000000000046F000-memory.dmp
memory/4276-20-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-21-0x0000000000440000-0x00000000008EB000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000026000\e647d7cae5.exe
| MD5 | 7696fd52645fd5bde71ca7eb4b2fa935 |
| SHA1 | 50fcab8ebe7f490596c51ceb520f6a972ccb790d |
| SHA256 | 45bbfe6526c7aa0ac16355e301a467c2533bb1b2455dea1405deb80be734f990 |
| SHA512 | 1bd56f6e9d4c2c89b2ec3142762b50f9820a359e6f6f1143e769b67b878e24ac3c815ed79eb20e0ae556a2deda76a6ca7d49f2075ef6b905713019bc98fb7a82 |
memory/3748-37-0x0000000000FF0000-0x0000000001662000-memory.dmp
memory/3748-46-0x0000000000FF1000-0x0000000001005000-memory.dmp
memory/3748-47-0x0000000000FF0000-0x0000000001662000-memory.dmp
memory/4276-48-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/3180-56-0x0000000000210000-0x0000000000882000-memory.dmp
memory/3748-58-0x0000000000FF0000-0x0000000001662000-memory.dmp
memory/3756-61-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-60-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/3180-63-0x0000000000210000-0x0000000000882000-memory.dmp
memory/3756-65-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-66-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-67-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-68-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-69-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-70-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-71-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-72-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4048-74-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-75-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-76-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-77-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-78-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-79-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-80-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/1420-82-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/1420-84-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-85-0x0000000000440000-0x00000000008EB000-memory.dmp
memory/4276-86-0x0000000000440000-0x00000000008EB000-memory.dmp