Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 19:08
Static task
static1
Behavioral task
behavioral1
Sample
Meow.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Meow.exe
Resource
win10v2004-20231222-en
General
-
Target
Meow.exe
-
Size
5.3MB
-
MD5
0b01ec2c4b4faac5d7591c9b17d75d2d
-
SHA1
a28a8431348d751709887d1293c80237782ab6b6
-
SHA256
e2342e90d6baeda675e92025124c05266e4b99f251d967ff6a49ac65fa385060
-
SHA512
b1e8ce594be3b14968899c3be2c8bf8e583645beb3e3ec383821fcac0b8c8bbd4ff72c32bd11fed4194fd2e0b00cc53652d16fbfec516655ec8a0472ea93b17e
-
SSDEEP
98304:PKMBJC+aOomVZs3/H+ub898uncF7IsMZJ7ANoQbz5MYverP6JU+B59yO4SO:Ph++zg3/Hbb8GunsmJgMijJUnO
Malware Config
Signatures
-
Detect Poverty Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-4-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral2/memory/2252-7-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral2/memory/2252-8-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral2/memory/2252-9-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral2/memory/2252-23-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer behavioral2/memory/2252-25-0x0000000000400000-0x0000000000411000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Meow.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Meow.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Meow.exedescription pid process target process PID 1996 set thread context of 2252 1996 Meow.exe Meow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3828 1996 WerFault.exe Meow.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Meow.exedescription pid process target process PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe PID 1996 wrote to memory of 2252 1996 Meow.exe Meow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"2⤵PID:2252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 17082⤵
- Program crash
PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1996 -ip 19961⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD59ac06c4bad5dce748b6bb0c26abdef07
SHA152fbb6bc50c2961d7937effe799f03939f5d984f
SHA25621414c6b651dfefa26b3fce308ab485db54c5d9a19e296f9e55e6d80c40f1ad4
SHA512a7a461bc7651b3e8f28578520981422c6b408ab604684be0e04f4ae6ca0ab89923aa0c649d156c9d508cbdbdb72e9c87c19f0af1dd6706b07cd0ce2999211352