Analysis

  • max time kernel
    71s
  • max time network
    184s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-02-2024 04:52

General

  • Target

    b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe

  • Size

    1.6MB

  • MD5

    725a272d58c38263bac81cc348f27923

  • SHA1

    940380233efcda57a22341e09515696d6b80bc25

  • SHA256

    b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee

  • SHA512

    55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c

  • SSDEEP

    24576:GubsnafAPyjSzZX6h6JbMwmULKfCgG07jgLkx0gW9Tm8nnlLclRPPYpyrQRlRdWV:YI4sMb+fZ3Px0gW9Tznnlc4IQrjWd7

Malware Config

Signatures

  • Detect Poverty Stealer Payload 1 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
    "C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

    Filesize

    35B

    MD5

    ff59d999beb970447667695ce3273f75

    SHA1

    316fa09f467ba90ac34a054daf2e92e6e2854ff8

    SHA256

    065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

    SHA512

    d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

    Filesize

    1.4MB

    MD5

    138b89cd7998a23858a944fc0580fe45

    SHA1

    3d0c907b4b9f546f59d5a42d8b4826785907b715

    SHA256

    8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230

    SHA512

    7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

    Filesize

    1.1MB

    MD5

    38d71977d7eb1451e0497d888b8b40d1

    SHA1

    12abfe0a3074280d31afe0dd66066bbc550bfb50

    SHA256

    d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c

    SHA512

    d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

  • memory/1920-20-0x0000000000E70000-0x00000000011DC000-memory.dmp

    Filesize

    3.4MB

  • memory/1920-21-0x00000000032C0000-0x00000000032C1000-memory.dmp

    Filesize

    4KB

  • memory/1920-22-0x0000000000E70000-0x00000000011DC000-memory.dmp

    Filesize

    3.4MB