Analysis Overview
SHA256
a2cca73f263f0bd9e12f682a2ee3598e25403fa33a953a680062b78a52d7662c
Threat Level: Known bad
The file Installer.exe was found to be: Known bad.
Malicious Activity Summary
Poverty Stealer
Detect Poverty Stealer Payload
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 08:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 08:35
Reported
2024-02-22 09:05
Platform
win10v2004-20240221-en
Max time kernel
1799s
Max time network
1174s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3564 set thread context of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/3564-0-0x0000000002400000-0x0000000002414000-memory.dmp
memory/3564-1-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3564-2-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/3564-3-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/3564-4-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/3564-5-0x0000000004C40000-0x00000000051E4000-memory.dmp
memory/3564-6-0x0000000004AC0000-0x0000000004AD4000-memory.dmp
memory/3100-9-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3564-13-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3100-14-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3100-16-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3564-15-0x0000000002600000-0x0000000004600000-memory.dmp
memory/3100-17-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3100-18-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3100-20-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3100-19-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/3100-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3100-22-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4476-23-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-24-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-25-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-29-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-30-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-31-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-33-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-32-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-34-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/4476-35-0x0000023FE4560000-0x0000023FE4561000-memory.dmp
memory/3564-36-0x0000000002600000-0x0000000004600000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 08:35
Reported
2024-02-22 09:05
Platform
win11-20240221-en
Max time kernel
447s
Max time network
1171s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1800 set thread context of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp |
Files
memory/1800-1-0x0000000074750000-0x0000000074F01000-memory.dmp
memory/1800-0-0x00000000024F0000-0x0000000002504000-memory.dmp
memory/1800-2-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1800-4-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1800-3-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1800-5-0x0000000004C70000-0x0000000005216000-memory.dmp
memory/1800-6-0x0000000002640000-0x0000000002654000-memory.dmp
memory/1888-9-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1888-13-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1800-14-0x0000000074750000-0x0000000074F01000-memory.dmp
memory/1888-16-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1800-15-0x0000000002670000-0x0000000004670000-memory.dmp
memory/1888-18-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1888-19-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1888-20-0x0000000001600000-0x0000000001601000-memory.dmp
memory/1888-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1888-22-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1800-23-0x0000000002670000-0x0000000004670000-memory.dmp