Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 19:08
Static task
static1
Behavioral task
behavioral1
Sample
Meow.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Meow.exe
Resource
win10v2004-20231222-en
General
-
Target
Meow.exe
-
Size
5.3MB
-
MD5
0b01ec2c4b4faac5d7591c9b17d75d2d
-
SHA1
a28a8431348d751709887d1293c80237782ab6b6
-
SHA256
e2342e90d6baeda675e92025124c05266e4b99f251d967ff6a49ac65fa385060
-
SHA512
b1e8ce594be3b14968899c3be2c8bf8e583645beb3e3ec383821fcac0b8c8bbd4ff72c32bd11fed4194fd2e0b00cc53652d16fbfec516655ec8a0472ea93b17e
-
SSDEEP
98304:PKMBJC+aOomVZs3/H+ub898uncF7IsMZJ7ANoQbz5MYverP6JU+B59yO4SO:Ph++zg3/Hbb8GunsmJgMijJUnO
Malware Config
Signatures
-
Detect Poverty Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-6-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral1/memory/2064-14-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral1/memory/2064-11-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral1/memory/2064-7-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Meow.exedescription pid process target process PID 2156 set thread context of 2064 2156 Meow.exe Meow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 2284 2064 WerFault.exe 2824 2156 WerFault.exe Meow.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Meow.exeMeow.exedescription pid process target process PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2156 wrote to memory of 2064 2156 Meow.exe Meow.exe PID 2064 wrote to memory of 2284 2064 Meow.exe WerFault.exe PID 2064 wrote to memory of 2284 2064 Meow.exe WerFault.exe PID 2064 wrote to memory of 2284 2064 Meow.exe WerFault.exe PID 2064 wrote to memory of 2284 2064 Meow.exe WerFault.exe PID 2156 wrote to memory of 2824 2156 Meow.exe WerFault.exe PID 2156 wrote to memory of 2824 2156 Meow.exe WerFault.exe PID 2156 wrote to memory of 2824 2156 Meow.exe WerFault.exe PID 2156 wrote to memory of 2824 2156 Meow.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 7402⤵
- Program crash
PID:2824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 881⤵
- Program crash
PID:2284