Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
Photoshop.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Photoshop.exe
Resource
win10v2004-20240226-en
General
-
Target
Photoshop.exe
-
Size
3.0MB
-
MD5
a8048bd6fc7d336d7f6e0fd6800da673
-
SHA1
f28db14f2884ac1db0ce53a7ec7bee572541d902
-
SHA256
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
-
SHA512
570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066
-
SSDEEP
49152:zR5PaMqlX9BK+ndEBk6/HOg7wFXW3zrFlvmh+JJRV8EeCrXy7295sAZub1R:zR59qtaBk0HOXXWHbbbrNub
Malware Config
Signatures
-
Detect Poverty Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3048-64-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer behavioral2/memory/3048-70-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer behavioral2/memory/3048-71-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer behavioral2/memory/3048-72-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer behavioral2/memory/3048-73-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer behavioral2/memory/3048-75-0x0000000000790000-0x000000000079A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Photoshop.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Photoshop.exe -
Executes dropped EXE 7 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exenmYIeCI7gcMH.exepid process 1704 7z.exe 2876 7z.exe 3572 7z.exe 1972 7z.exe 4604 7z.exe 1304 7z.exe 3364 nmYIeCI7gcMH.exe -
Loads dropped DLL 6 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 1704 7z.exe 2876 7z.exe 3572 7z.exe 1972 7z.exe 4604 7z.exe 1304 7z.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nmYIeCI7gcMH.exedescription pid process target process PID 3364 set thread context of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeRestorePrivilege 1704 7z.exe Token: 35 1704 7z.exe Token: SeSecurityPrivilege 1704 7z.exe Token: SeSecurityPrivilege 1704 7z.exe Token: SeRestorePrivilege 2876 7z.exe Token: 35 2876 7z.exe Token: SeSecurityPrivilege 2876 7z.exe Token: SeSecurityPrivilege 2876 7z.exe Token: SeRestorePrivilege 3572 7z.exe Token: 35 3572 7z.exe Token: SeSecurityPrivilege 3572 7z.exe Token: SeSecurityPrivilege 3572 7z.exe Token: SeRestorePrivilege 1972 7z.exe Token: 35 1972 7z.exe Token: SeSecurityPrivilege 1972 7z.exe Token: SeSecurityPrivilege 1972 7z.exe Token: SeRestorePrivilege 4604 7z.exe Token: 35 4604 7z.exe Token: SeSecurityPrivilege 4604 7z.exe Token: SeSecurityPrivilege 4604 7z.exe Token: SeRestorePrivilege 1304 7z.exe Token: 35 1304 7z.exe Token: SeSecurityPrivilege 1304 7z.exe Token: SeSecurityPrivilege 1304 7z.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Photoshop.execmd.exenmYIeCI7gcMH.exedescription pid process target process PID 5108 wrote to memory of 4576 5108 Photoshop.exe cmd.exe PID 5108 wrote to memory of 4576 5108 Photoshop.exe cmd.exe PID 4576 wrote to memory of 4768 4576 cmd.exe mode.com PID 4576 wrote to memory of 4768 4576 cmd.exe mode.com PID 4576 wrote to memory of 1704 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 1704 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 2876 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 2876 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 3572 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 3572 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 1972 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 1972 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 4604 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 4604 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 1304 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 1304 4576 cmd.exe 7z.exe PID 4576 wrote to memory of 2832 4576 cmd.exe attrib.exe PID 4576 wrote to memory of 2832 4576 cmd.exe attrib.exe PID 4576 wrote to memory of 3364 4576 cmd.exe nmYIeCI7gcMH.exe PID 4576 wrote to memory of 3364 4576 cmd.exe nmYIeCI7gcMH.exe PID 4576 wrote to memory of 3364 4576 cmd.exe nmYIeCI7gcMH.exe PID 3364 wrote to memory of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe PID 3364 wrote to memory of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe PID 3364 wrote to memory of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe PID 3364 wrote to memory of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe PID 3364 wrote to memory of 3048 3364 nmYIeCI7gcMH.exe RegSvcs.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Photoshop.exe"C:\Users\Admin\AppData\Local\Temp\Photoshop.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\mode.commode 65,103⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p125762329330388294023250819845 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\system32\attrib.exeattrib +H "nmYIeCI7gcMH.exe"3⤵
- Views/modifies file attributes
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe"nmYIeCI7gcMH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD527899c7e34ec13e0635897a95989d8b1
SHA18d0f408c2ca321ce84262b47b22bc7dd25fe66f9
SHA256527bd290ee5eb72fcb055d559e5ba9e19a4ec358ecbd93fc518436b4a7ce8c1f
SHA5127e2a4555807b956b3b8f348fc41285f8c4f42e71e5eb542fdc0c8da99c67eae262e65b0ebcad5b1eaaa25206923442e0ccc995372802ed60bb743464c18587eb
-
Filesize
87KB
MD5dca2240336bda6fe85a6888a0fe27a29
SHA126c6708a40e6158e6e8a450fed3b4feaa5ea6d1f
SHA256e01188cf8beeb123713231d2659cc984b6f83388cb0bd174cbce30e9dfff7352
SHA51290c63d60b4c452f162ee408aeec462b31d14374a4b1fd290d66afede5a84fd1dbd814481dce4cfffbcbea1645f9c61a6f4de8f6789343a5d379d8408842d8719
-
Filesize
170KB
MD561278241730c6c45cf32245e5702d6b2
SHA1be07c9fbf50632a5bbf11a32312d5484f427f3b2
SHA2563c4767376fab655c33247c27b6dab66386ccdb945e4dc3c94801e980044b60c8
SHA512b9e5196e9618f752cd5b3775a76fb6a4fed2a64b3cb2e4a59db4493a2fb0d5c8c538efd4453ba55f050466adba0ad031a155caa91b60b3ed86890115fc424de4
-
Filesize
134KB
MD57db3fe4b589fded752ca752f164b3e5d
SHA1844f222bda00d1922119be0cecfbefee34302adb
SHA25647cd7460a2dfd9f046ee506b588bb57945ddb7174500409c12bc1956fcd1d276
SHA51290152919bc1b7ef60bba05fc0d663e117f15bece41f20f4e308256bc04c6a73f1bd022a5a5d0c1de782b3bf74e04839181e2008692000825783f2418fc482c18
-
Filesize
94KB
MD5994cd31649c66548431009cc2ce2c342
SHA12e3261722ca820877e2d28103254472589f7b567
SHA256de9fa9d76222ab4e57ef00f33fbf4b960f792f4cf1cc1bb84b9a9e3ebef1024d
SHA51202e98b9d09faaa05484b765dfa93141eff26976f42ed4304c2e5f65e6de547d8e0aa1a6eff24fdfd1421e0a7dbfc3c5948d905337694979f788229fba95176ed
-
Filesize
149KB
MD5acd37691a022a776c84dd3cea9375d82
SHA17bbf230544f44890bc87fc7beb1034526ea30bf0
SHA2569649b6641b422f37749668dd88f6bfc48f92cc0010a7d2a506eb1c4702022c3c
SHA5126961e89993149075a4782eaa9bff8b37a37733357f24345a424963458bf4da4eeafccd951f60acd88353957d3775d2419b9687126070228a8c05fd4cc6fa0fea
-
Filesize
221KB
MD5cd3c0b3b1c07c794f0eb29e75470dd8c
SHA195b5919e9c076ac0df2bf69edc7c054fa106cbbc
SHA2563e191f28fb9eb8dda3d886e047a8caf9ff7acb0deb2cf148dff9109cc8f7c4e7
SHA51219ec4bd3287ed0a93f372da4c0690085fc6c3210f6e4943fbb684f6257e17b92e5998d9688dd1f3ba084f1ffc394f040f7053e15ee1fa9383ed387f15a3e8a73
-
Filesize
127KB
MD5cf8f73fbdb9778ac2f3a87c26c1b2375
SHA16f06ad0fa73e2dae3cf993d4a2f93f3fc3437fa4
SHA256c12b0d088168d33679234472f7fe895fe3aa8bf97194a4fc12337e13ec048fc2
SHA5128b880efe108033704fc6ba58239adf278d62850f6f53d2c07417785e9edfa7bad504d138268278371c0234c6164cea54c15f1bdc2b67975b57427912e7240731
-
Filesize
39KB
MD5a99911883cae967df3b7f5ed647e10b4
SHA1c1fe4151c757686cc97ff179ccca99c4c95dbd9a
SHA256a58dda617ec1c3905c3ff6d1dae6840323d7204a443da622dc6ef93525994b6a
SHA512eef3756b542644f71c12bee1a3bff9b265c9760fa8b625cf5fcaa283136447c6c8a6c69cbf21c44928bd95aa16a90b662a8d3cafd33004107d85fbb6b8ff8d71
-
Filesize
141KB
MD5dafc2c93ce7ad760afe716d1d6ec529f
SHA1f6b0bbbd18a0308dc654fdda45951e5bff4effd0
SHA25685abcd9478eb7d5378777bbe1d822c7e99caeda3b573004ea558f5e86217b4f7
SHA512b4cdada74e64f9b80ff39713b1fafe5ba78bb193d853ba45913d94ed5a58098b4054c7b43fa5be8f1a6cebcaa36a30a8ac05099c1b18155615bf45f91b2ea31b
-
Filesize
124KB
MD5faf6c0b1090d81f3dd331fc4264a5f76
SHA17495f0cf3651fd040597e2310915a8a19051a63e
SHA256c9a07307cdf9696ac62c5eadcc962352ee07946df558ed7f46ff2d1044304eb5
SHA5129c07f3ed55e88c338b268661d1f75ee213f1af0405f92afb4f375f61ec7eeac554fef0cac836ea616a6a58f479d35ce20d314f6f26e2f53f3b04772189a2ab25
-
Filesize
154KB
MD5c811af8d98ea4e2a5014e1a7a4f05ce4
SHA181823845912a6db727d1d600fbb4c62ba8fcfdce
SHA25689c574b0be1be5b04143d38e67ad62a7a145ca9c78715998900692e346ec1ade
SHA512fe22d5fa1fc64f70649cdb7f3c87e1c40ce249764faab88a145f201368ab8677c0d5d067e39f007ca5d8b3e4ff101215845f05f43b0350ddc76136c116e7d542
-
Filesize
184KB
MD546fdefd56b8dd6b7d89e9d3fd520a2b4
SHA151093effbdcb84c1ebdccc1243b55c102dfc68e1
SHA256e5d6437897aecc785819e8d71cec53eaa242850a7a64cea8aa0d8b0c36a09e8e
SHA512140f274929591fa628077729db6f266fd55467fa25c5e0b5a006318356db2cb5072577d476577816b86d9293a4cb66e6dd585b57db8a75ec2e91945b2db1375d
-
Filesize
170KB
MD57129a8f76d22f505cd5c9e18ea12cb0d
SHA1d7185aa91c5667c1e517aba7a4fa2e7b6f856d63
SHA25681f7498ebd470a6cb7a4333b9c44a224f66cac185d6eeab4c62a0639b6b1909b
SHA51217895b5b5035ad4a58e302bf3564079f33d59100c1d22bb2411da05c13b98563f7524a8590a11b1ad35f9c0620b85aedeeacc796927a8a6069692b5c99ccc51e
-
Filesize
59KB
MD53b077c160f7ab1c388455ecc6d3b49c1
SHA1e2bdc5b8f6c075f65ed70482e04800cd1357f965
SHA2563018e4daeeaf8e6720b68986ad8d6037d5c807699f0f5393cc863dbeebf859ef
SHA5122c29894e51b9c3f27a4df41e5a9cdb2b4e6dfa73026010d2a68ebba73def2a930301882446c08807ad51445ee7f8fa105aca8978c523a56cdb08a24165f64d9a
-
Filesize
115KB
MD54744ed1bf557cc1a7aa611aba426d7b2
SHA119818e8663797a7ff48e71e3440413695f134d0e
SHA256631d26e9296d09ba9be06bfa0b8719d3a233cc485b8be07320ffb02eba7bed30
SHA512dce17fa5ae60addf52cd62478548ab7dd079def45f350557e1996702ac0aa426ceedf1c73298038d044ac5ece2ba8538383b9177db93e34a9a157bb758471b83
-
Filesize
139KB
MD5cd86595c79ed4866ac6f03c3de4ccc20
SHA116c62317fdd82d79c83dfd17ec7e3b70447b650b
SHA25638337840bd7cd036191adf82037c7f7f8b85e171621df7f419d9ed4d44530d8b
SHA512fb7c841bdb44d08e1fd8fa8ffc7e5202c4db67bc6f365a419474c1ad0679af631ffea8a83f1d1f1c9b78192b6342358ebc66100372a02fec42aa736561f957a0
-
Filesize
150KB
MD5faba57eada0da2543973c7855e0771d6
SHA15bbcd5c032cf33881ace9bbe7ee9cd9c262cf56f
SHA256c77d34a65ae3dd723fb38b220d8720ee12660750569251b27a515895711f325c
SHA512eb3f8fa244dc6577424c51eec10ddf3033b0d3ad0fc9f7ab8d18a3af2abceb9ed7240eb2c7229c08cfd804e9f6fd89bbae8624d001628afea7f994a88b820f9f
-
Filesize
106KB
MD51baeffbbf9b5f4a6ee0fd0c06a1b5363
SHA154cf2a6961b1959cadec6f6f83b4362187e4c945
SHA25625ee3383afc1b2680ac955e48302c1339fbe476ba09645d1c020db3cfec5c4f0
SHA51287b9e5d200f25e4ae7cfb9ba149628d2575fcff2e4612a177be66875586635ab5c68b0297d2c849440e5f3286f5baf6dfd4d77e3510116a6ff26ef869862b6fd
-
Filesize
11KB
MD52b326ac638b75230726c77027f6595d0
SHA125860e9508cddd436c51a542952f362a67a7f27e
SHA256c37dbbeaa315d4807253bf2264c93c53eec86cbf90fb68d86eef4224bdc14e93
SHA512dab7fdd91c7e1e1e1ed0a97c23a4427094ea1f56d7728e3f8fbf66f14d2bb9ea7a779b4e7138449ba3ce44a0f7392f45967afac6b16aea174145ecd84735bd2a
-
Filesize
31KB
MD5b98c04107c877870d49918d37fe88243
SHA1022456cb93ab56c162c815eb6bb0efc5f8736a0e
SHA25676d88796bccf1ca6d641057af17e4259f4209f9f2a138430ca5677e245f9b24f
SHA512db51635ab14c8ea93b1a20c9c909fe42ce2fcec48ba993cde3b40c9f6b32a2cc786d2ef9682770d057d0f7f24b60f4835d513ff8f9537e64c4c1029d02386bea
-
Filesize
158KB
MD50429f9dcdaaa3759bbeab48a061ba2f5
SHA15c6789c6f98e2c229d7346a721374145e79fcd84
SHA25645f172657395a9e208a831e486a03dfc364299f554945eb2784a8fd8feb83af9
SHA5129ec18ffa680907eea44db8f9a7abb83a8d16cee8aa53cc5841615b72d9b07abb2ebf8a6ac449b2b40b9ee3c6176d04f6240d1fb302121e9e20afda6dc6acabaa
-
Filesize
491B
MD512b875e85a885c81bc04161e9df9151a
SHA17d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA25697e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA5123ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca
-
Filesize
98KB
MD5d09198d4a0b2ebc3bea8224888e804a9
SHA148c9cbf0145a82cba5c4f8fcfb0b3a257a2d4117
SHA256710734be45ea27c8fbab06296f669258ce07eb475201ae9beb74716bcc0c91ef
SHA51270ab9481676f3437eec422d6bd14f88488119445b78dd28ea23e65cae1a34c4cdfb74e1355a0599d1634e7ad0cbac034595a10b95df8c5246a07c87dbed720be