Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 16:57
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
1.7MB
-
MD5
7c818b38718a7e845e3e2b2a2baf0c6e
-
SHA1
fcb189782e39c8ed1b26512278e07e3cda6ab1d1
-
SHA256
8c737d639a32ba502f16936785d947f262a7670ae19dafa8d2641fed4051dd8c
-
SHA512
df31f27eb7f41ab285ef8319e12a71b97dc4687c38c2a7793042eec503ba771d8773b1ec745fb7667cfe963c5d1b28989b782f52597b9dd0e4606f26db2fe26f
-
SSDEEP
12288:czrSC63ODLASaGMLA42yarv4rHBC3+RxrfvyJic2yPEAj8b7NuZhazOD4B6Me6:C6eDLASbMc42ya8vygcDEAmI9Me6
Score
10/10
Malware Config
Signatures
-
Detect Poverty Stealer Payload 8 IoCs
resource yara_rule behavioral1/memory/1632-1-0x0000000001000000-0x000000000120F000-memory.dmp family_povertystealer behavioral1/memory/2804-4-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer behavioral1/memory/1632-12-0x0000000001000000-0x000000000120F000-memory.dmp family_povertystealer behavioral1/memory/2804-11-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer behavioral1/memory/2804-14-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer behavioral1/memory/2804-15-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer behavioral1/memory/2804-16-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer behavioral1/memory/2804-20-0x0000000000080000-0x000000000008F000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1632 set thread context of 2804 1632 tmp.exe 28 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2804 1632 tmp.exe 28 PID 1632 wrote to memory of 2804 1632 tmp.exe 28 PID 1632 wrote to memory of 2804 1632 tmp.exe 28 PID 1632 wrote to memory of 2804 1632 tmp.exe 28 PID 1632 wrote to memory of 2804 1632 tmp.exe 28 PID 1632 wrote to memory of 2804 1632 tmp.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2804
-