Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe
Resource
win10v2004-20240802-en
General
-
Target
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe
-
Size
1.8MB
-
MD5
1962f71690a83ac73d4ba1e5942b23fc
-
SHA1
f25ad0c8cadfe47042e57383f2999f2a30d69b6c
-
SHA256
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1
-
SHA512
38d0a973729ff5226fbfaca13095eec03ea394e8810fd426c43ab10a63b3e15264cdcca3ea91f77778abaf42fb4ffa082320353ad9f4ffb4bdaa2acba4bf48c7
-
SSDEEP
49152:n6YVeiOl2vNU6BY0p0hQU26q5K7DJ6zoSDvp3EOQMYqujXXof:n6/iQ4Y0OI5K7DJ6zVlEkuTo
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exe48c29040fd.exe14f23466e1.exesvoutse.exesvoutse.exeef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 48c29040fd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 14f23466e1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
14f23466e1.exesvoutse.exeef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exe48c29040fd.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 14f23466e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 48c29040fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 48c29040fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 14f23466e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exe48c29040fd.exe14f23466e1.exesvoutse.exesvoutse.exepid process 2560 svoutse.exe 4412 48c29040fd.exe 4044 14f23466e1.exe 3512 svoutse.exe 4540 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exe48c29040fd.exe14f23466e1.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine 48c29040fd.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine 14f23466e1.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14f23466e1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\14f23466e1.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exe48c29040fd.exe14f23466e1.exesvoutse.exesvoutse.exepid process 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe 2560 svoutse.exe 4412 48c29040fd.exe 4044 14f23466e1.exe 3512 svoutse.exe 4540 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exedescription ioc process File created C:\Windows\Tasks\svoutse.job ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
48c29040fd.exe14f23466e1.exeef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48c29040fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14f23466e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exe48c29040fd.exe14f23466e1.exesvoutse.exesvoutse.exepid process 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe 2560 svoutse.exe 2560 svoutse.exe 4412 48c29040fd.exe 4412 48c29040fd.exe 4044 14f23466e1.exe 4044 14f23466e1.exe 3512 svoutse.exe 3512 svoutse.exe 4540 svoutse.exe 4540 svoutse.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exepid process 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exesvoutse.exedescription pid process target process PID 5104 wrote to memory of 2560 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe svoutse.exe PID 5104 wrote to memory of 2560 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe svoutse.exe PID 5104 wrote to memory of 2560 5104 ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe svoutse.exe PID 2560 wrote to memory of 4412 2560 svoutse.exe 48c29040fd.exe PID 2560 wrote to memory of 4412 2560 svoutse.exe 48c29040fd.exe PID 2560 wrote to memory of 4412 2560 svoutse.exe 48c29040fd.exe PID 2560 wrote to memory of 4044 2560 svoutse.exe 14f23466e1.exe PID 2560 wrote to memory of 4044 2560 svoutse.exe 14f23466e1.exe PID 2560 wrote to memory of 4044 2560 svoutse.exe 14f23466e1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe"C:\Users\Admin\AppData\Local\Temp\ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Roaming\1000026000\48c29040fd.exe"C:\Users\Admin\AppData\Roaming\1000026000\48c29040fd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\1000030001\14f23466e1.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\14f23466e1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3512
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51962f71690a83ac73d4ba1e5942b23fc
SHA1f25ad0c8cadfe47042e57383f2999f2a30d69b6c
SHA256ef68b19e6817f5e4a8a3f03340897eae4beb052f9bb86aa6d12e02d377ce81a1
SHA51238d0a973729ff5226fbfaca13095eec03ea394e8810fd426c43ab10a63b3e15264cdcca3ea91f77778abaf42fb4ffa082320353ad9f4ffb4bdaa2acba4bf48c7
-
Filesize
1.7MB
MD5ba8190393ac1d1db5ac8e47cd167ff86
SHA151ab312f3d6a18faa3908be6f9005de6b4e59e2f
SHA256baa62c7e9b3c8b0cf84c6327ee6dd168dc460032c1044969c454bdb12f7998e0
SHA512fc1f5e076ebf7387205ac14c6d59962b04e743c28ab1f8738094027949576503bcf3aabaa0f961141ebf1acfacf5354bc3d0164ae90178e329cbe6b841742456