Malware Analysis Report

2024-10-23 17:19

Sample ID 240304-v9cjxage6s
Target Photoshop.exe
SHA256 d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
Tags
povertystealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d

Threat Level: Known bad

The file Photoshop.exe was found to be: Known bad.

Malicious Activity Summary

povertystealer stealer

Detect Poverty Stealer Payload

Poverty Stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 17:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 17:40

Reported

2024-03-04 17:45

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Photoshop.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Photoshop.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3576 set thread context of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Photoshop.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Photoshop.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4464 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4464 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4464 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4464 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4464 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 4464 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 4464 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 3576 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Photoshop.exe

"C:\Users\Admin\AppData\Local\Temp\Photoshop.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p125762329330388294023250819845 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "nmYIeCI7gcMH.exe"

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

"nmYIeCI7gcMH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 joxi.net udp
US 104.21.73.118:80 joxi.net tcp
US 104.21.73.118:443 joxi.net tcp
US 8.8.8.8:53 118.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 12b875e85a885c81bc04161e9df9151a
SHA1 7d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA256 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA512 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 afaebf70e6daf7bf2e07cd11f93ee4a1
SHA1 4e8b08b3e50f860955bd00d16fc1653c07b7c608
SHA256 4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b
SHA512 4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 9e57c6bb6dfb456cd9907844b7afafbd
SHA1 daee76439ed4cd77192dc5c2d52b187f18e5ba99
SHA256 729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab
SHA512 3a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 4ab6b1ed8f26df37c531a80147982511
SHA1 25d59710197c30eee836096dfcce139ba84f978a
SHA256 33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162
SHA512 a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 aad3ef70ef5b94a35d947e3610897dda
SHA1 c79356fa52ab359e2b5fb66881d406e1941832d6
SHA256 dd1ae4f1c0f588dd5fd3bba19ed784c0cd5b95ff4e9dd976bb815cb842840a25
SHA512 e5c42f2302e4b079dc63fa38310663b5fd43520d97bd82eb7aa1dd5e98aa1474dd1d5cf47ef22a8dd95e0ca28ff12de24582d62cdb903132a809b069e26a19b4

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 210ee7f34c0ff268d33d598a49eb889a
SHA1 876dea438f3f365513159630a12a2192fecd8b7f
SHA256 9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f
SHA512 383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 763cb011f068f184a672e254d3ce3c39
SHA1 59eb148e6ad321cac5396e6a58c1528f7932befb
SHA256 d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5f79b89dbaf23387caa818b0da7b8ea2
SHA1 3c38d94819331fd551c07048841cfe6ecbf29e18
SHA256 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512 a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 47e8ed572da00474326b4cee8f85b005
SHA1 94bceabdc880c41d73d6c984a9d61c31dd29ce91
SHA256 abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af
SHA512 31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624

C:\Users\Admin\AppData\Local\Temp\main\extracted\nmYIeCI7gcMH.exe

MD5 53c6cf5bf9ce4922b3dc9bf9cc2374a2
SHA1 b9a0d229a47fadaaa0898d32dce3aac279ac8569
SHA256 2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e
SHA512 d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c

memory/3576-64-0x0000000001200000-0x0000000001300000-memory.dmp

memory/216-63-0x0000000000400000-0x000000000040A000-memory.dmp

memory/216-70-0x0000000000400000-0x000000000040A000-memory.dmp

memory/216-71-0x0000000000400000-0x000000000040A000-memory.dmp

memory/216-72-0x0000000000400000-0x000000000040A000-memory.dmp

memory/216-75-0x0000000002CF0000-0x0000000002CF1000-memory.dmp