Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 19:08

General

  • Target

    Meow.exe

  • Size

    5.3MB

  • MD5

    0b01ec2c4b4faac5d7591c9b17d75d2d

  • SHA1

    a28a8431348d751709887d1293c80237782ab6b6

  • SHA256

    e2342e90d6baeda675e92025124c05266e4b99f251d967ff6a49ac65fa385060

  • SHA512

    b1e8ce594be3b14968899c3be2c8bf8e583645beb3e3ec383821fcac0b8c8bbd4ff72c32bd11fed4194fd2e0b00cc53652d16fbfec516655ec8a0472ea93b17e

  • SSDEEP

    98304:PKMBJC+aOomVZs3/H+ub898uncF7IsMZJ7ANoQbz5MYverP6JU+B59yO4SO:Ph++zg3/Hbb8GunsmJgMijJUnO

Malware Config

Signatures

  • Detect Poverty Stealer Payload 6 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Meow.exe
    "C:\Users\Admin\AppData\Local\Temp\Meow.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Meow.exe
      "C:\Users\Admin\AppData\Local\Temp\Meow.exe"
      2⤵
        PID:2252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1708
        2⤵
        • Program crash
        PID:3828
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1996 -ip 1996
      1⤵
        PID:4400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe

        Filesize

        2.9MB

        MD5

        9ac06c4bad5dce748b6bb0c26abdef07

        SHA1

        52fbb6bc50c2961d7937effe799f03939f5d984f

        SHA256

        21414c6b651dfefa26b3fce308ab485db54c5d9a19e296f9e55e6d80c40f1ad4

        SHA512

        a7a461bc7651b3e8f28578520981422c6b408ab604684be0e04f4ae6ca0ab89923aa0c649d156c9d508cbdbdb72e9c87c19f0af1dd6706b07cd0ce2999211352

      • memory/1996-3-0x0000000005140000-0x0000000005150000-memory.dmp

        Filesize

        64KB

      • memory/1996-2-0x00000000054E0000-0x0000000005A84000-memory.dmp

        Filesize

        5.6MB

      • memory/1996-0-0x0000000074D30000-0x00000000754E0000-memory.dmp

        Filesize

        7.7MB

      • memory/1996-1-0x00000000000F0000-0x000000000064A000-memory.dmp

        Filesize

        5.4MB

      • memory/1996-24-0x0000000074D30000-0x00000000754E0000-memory.dmp

        Filesize

        7.7MB

      • memory/2252-4-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2252-7-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2252-8-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2252-10-0x0000000003080000-0x0000000003081000-memory.dmp

        Filesize

        4KB

      • memory/2252-9-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2252-23-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2252-25-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB