Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 03:11
Static task
static1
Behavioral task
behavioral1
Sample
86428dd44549198730fd4dbcb1813e20N.exe
Resource
win7-20240903-en
General
-
Target
86428dd44549198730fd4dbcb1813e20N.exe
-
Size
1.8MB
-
MD5
86428dd44549198730fd4dbcb1813e20
-
SHA1
835b9410650b1477b06063fe34a1e8025b6dacf6
-
SHA256
15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
-
SHA512
0c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe
-
SSDEEP
49152:4q34XZCmyUbLYFQLNX3U1L/t6JnidewigXUPT/LOaGr:4qoX1HL6QLNU1Tt4nirigXUPTzOaG
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exesvoutse.exe86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exee668b16c1c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 86428dd44549198730fd4dbcb1813e20N.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e0b9b45a23.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e668b16c1c.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exesvoutse.exesvoutse.exee668b16c1c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 86428dd44549198730fd4dbcb1813e20N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e0b9b45a23.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 86428dd44549198730fd4dbcb1813e20N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e0b9b45a23.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e668b16c1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e668b16c1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 86428dd44549198730fd4dbcb1813e20N.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exee0b9b45a23.exee668b16c1c.exesvoutse.exesvoutse.exepid process 1052 svoutse.exe 752 e0b9b45a23.exe 1496 e668b16c1c.exe 2936 svoutse.exe 3344 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exe86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exee668b16c1c.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 86428dd44549198730fd4dbcb1813e20N.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine e0b9b45a23.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine e668b16c1c.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e668b16c1c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\e668b16c1c.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exee668b16c1c.exesvoutse.exesvoutse.exepid process 1188 86428dd44549198730fd4dbcb1813e20N.exe 1052 svoutse.exe 752 e0b9b45a23.exe 1496 e668b16c1c.exe 2936 svoutse.exe 3344 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
86428dd44549198730fd4dbcb1813e20N.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 86428dd44549198730fd4dbcb1813e20N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exee668b16c1c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86428dd44549198730fd4dbcb1813e20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0b9b45a23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e668b16c1c.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exee0b9b45a23.exee668b16c1c.exesvoutse.exesvoutse.exepid process 1188 86428dd44549198730fd4dbcb1813e20N.exe 1188 86428dd44549198730fd4dbcb1813e20N.exe 1052 svoutse.exe 1052 svoutse.exe 752 e0b9b45a23.exe 752 e0b9b45a23.exe 1496 e668b16c1c.exe 1496 e668b16c1c.exe 2936 svoutse.exe 2936 svoutse.exe 3344 svoutse.exe 3344 svoutse.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
86428dd44549198730fd4dbcb1813e20N.exepid process 1188 86428dd44549198730fd4dbcb1813e20N.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
86428dd44549198730fd4dbcb1813e20N.exesvoutse.exedescription pid process target process PID 1188 wrote to memory of 1052 1188 86428dd44549198730fd4dbcb1813e20N.exe svoutse.exe PID 1188 wrote to memory of 1052 1188 86428dd44549198730fd4dbcb1813e20N.exe svoutse.exe PID 1188 wrote to memory of 1052 1188 86428dd44549198730fd4dbcb1813e20N.exe svoutse.exe PID 1052 wrote to memory of 752 1052 svoutse.exe e0b9b45a23.exe PID 1052 wrote to memory of 752 1052 svoutse.exe e0b9b45a23.exe PID 1052 wrote to memory of 752 1052 svoutse.exe e0b9b45a23.exe PID 1052 wrote to memory of 1496 1052 svoutse.exe e668b16c1c.exe PID 1052 wrote to memory of 1496 1052 svoutse.exe e668b16c1c.exe PID 1052 wrote to memory of 1496 1052 svoutse.exe e668b16c1c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86428dd44549198730fd4dbcb1813e20N.exe"C:\Users\Admin\AppData\Local\Temp\86428dd44549198730fd4dbcb1813e20N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\1000041000\e0b9b45a23.exe"C:\Users\Admin\AppData\Roaming\1000041000\e0b9b45a23.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Users\Admin\AppData\Local\Temp\1000042001\e668b16c1c.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\e668b16c1c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD586428dd44549198730fd4dbcb1813e20
SHA1835b9410650b1477b06063fe34a1e8025b6dacf6
SHA25615596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
SHA5120c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe
-
Filesize
1.7MB
MD5087b03122f2a7c24af29a7c3e574fa39
SHA1c15df128fdfa9e29dab7c6a272db1e5dbf4f4f7c
SHA256e2a1770da6d6838de2454af91092c33eb7f2c933617422826e2a15240f967266
SHA512edbb50946cf8ea8f1fd401556a390901f4e4c4114ef9097a1e8e44a9c29452894a1541085037f5098a8395d9097cff0c56869b6637c53f4bd3c9482fef725d5a