Analysis
-
max time kernel
155s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
Resource
win10v2004-20240226-en
General
-
Target
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
-
Size
3.0MB
-
MD5
a8048bd6fc7d336d7f6e0fd6800da673
-
SHA1
f28db14f2884ac1db0ce53a7ec7bee572541d902
-
SHA256
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
-
SHA512
570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066
-
SSDEEP
49152:zR5PaMqlX9BK+ndEBk6/HOg7wFXW3zrFlvmh+JJRV8EeCrXy7295sAZub1R:zR59qtaBk0HOXXWHbbbrNub
Malware Config
Signatures
-
Detect Poverty Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1572-64-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1572-70-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1572-71-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1572-72-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe -
Executes dropped EXE 7 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exenmYIeCI7gcMH.exepid process 5048 7z.exe 2688 7z.exe 3832 7z.exe 4908 7z.exe 1188 7z.exe 1564 7z.exe 456 nmYIeCI7gcMH.exe -
Loads dropped DLL 6 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 5048 7z.exe 2688 7z.exe 3832 7z.exe 4908 7z.exe 1188 7z.exe 1564 7z.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nmYIeCI7gcMH.exedescription pid process target process PID 456 set thread context of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeRestorePrivilege 5048 7z.exe Token: 35 5048 7z.exe Token: SeSecurityPrivilege 5048 7z.exe Token: SeSecurityPrivilege 5048 7z.exe Token: SeRestorePrivilege 2688 7z.exe Token: 35 2688 7z.exe Token: SeSecurityPrivilege 2688 7z.exe Token: SeSecurityPrivilege 2688 7z.exe Token: SeRestorePrivilege 3832 7z.exe Token: 35 3832 7z.exe Token: SeSecurityPrivilege 3832 7z.exe Token: SeSecurityPrivilege 3832 7z.exe Token: SeRestorePrivilege 4908 7z.exe Token: 35 4908 7z.exe Token: SeSecurityPrivilege 4908 7z.exe Token: SeSecurityPrivilege 4908 7z.exe Token: SeRestorePrivilege 1188 7z.exe Token: 35 1188 7z.exe Token: SeSecurityPrivilege 1188 7z.exe Token: SeSecurityPrivilege 1188 7z.exe Token: SeRestorePrivilege 1564 7z.exe Token: 35 1564 7z.exe Token: SeSecurityPrivilege 1564 7z.exe Token: SeSecurityPrivilege 1564 7z.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.execmd.exenmYIeCI7gcMH.exedescription pid process target process PID 3532 wrote to memory of 1744 3532 d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe cmd.exe PID 3532 wrote to memory of 1744 3532 d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe cmd.exe PID 1744 wrote to memory of 2480 1744 cmd.exe mode.com PID 1744 wrote to memory of 2480 1744 cmd.exe mode.com PID 1744 wrote to memory of 5048 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 5048 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 2688 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 2688 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 3832 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 3832 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 4908 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 4908 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 1188 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 1188 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 1564 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 1564 1744 cmd.exe 7z.exe PID 1744 wrote to memory of 4196 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 4196 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 456 1744 cmd.exe nmYIeCI7gcMH.exe PID 1744 wrote to memory of 456 1744 cmd.exe nmYIeCI7gcMH.exe PID 1744 wrote to memory of 456 1744 cmd.exe nmYIeCI7gcMH.exe PID 456 wrote to memory of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe PID 456 wrote to memory of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe PID 456 wrote to memory of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe PID 456 wrote to memory of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe PID 456 wrote to memory of 1572 456 nmYIeCI7gcMH.exe RegSvcs.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe"C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\mode.commode 65,103⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p125762329330388294023250819845 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\system32\attrib.exeattrib +H "nmYIeCI7gcMH.exe"3⤵
- Views/modifies file attributes
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe"nmYIeCI7gcMH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2528 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.2MB
MD558c64162de8c8095b323a5ac4575542b
SHA18e787e92b68a31c6e904df296ece4b9b9372fed8
SHA256991278e242f80246b4f611db272953ce5aa09bd5efa980a961d2020882412081
SHA5127a3f891729e6afbc0d6aaa81f7c56cd50cabdd4bbb97f83625e3936b22d6614c3e3d41767a6465d32348512c2d43639a4b07340060f63f2ab817e57a77df9bfa
-
Filesize
903KB
MD5f92a01146e70f5220056880dbfe47378
SHA1d1206f967b709fec3919fa62049122d35eb306ed
SHA25677680fcf3cbb6ca7219b16a4c0b769f25dfe0fa48766ce319366ec9c24d8ae2a
SHA512528aa27899ef37e35b8970fcf4433b0512f03ac95275be8cb9dc58250100c1468c96d71321a5bc071413ce8594c53230aa3abaef918a1a13b547b9ca8e08430a
-
Filesize
969KB
MD5f99cd2846a589782a883acc1dfe33853
SHA1afee0bb78a10451ae637d572fccfc5b7eb10ea78
SHA256394ab7dff77a979c989abed153222517d8180e4b3834b508ab58979f62964358
SHA51208480820ab4296c7fbadc1611ccb3806ddec5dcf16540520a62bfb2d75b3e1ef16f78154daf4472a11eff5807ff17f98e439bec5401ee4e4934cea6302ffb273
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
769KB
MD5c07dcdde40984587819aa7b8bf3ad8aa
SHA1558f1b0fb89ed55740373ee590da3e5692f14448
SHA25619816cdb8279a63b9197014d771580cd2dc006bc0f7c725f3f097f04ec62e50c
SHA512db71971204c5e7b2d9c08dec1fc587f8cc35e842e0cf404f530e3e756558070796bb89a07870c0c5066209807e75ed6e7f1a593818f0c6ace37bad6d35fb8617
-
Filesize
509KB
MD55f79b89dbaf23387caa818b0da7b8ea2
SHA13c38d94819331fd551c07048841cfe6ecbf29e18
SHA2567abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc
-
Filesize
509KB
MD5763cb011f068f184a672e254d3ce3c39
SHA159eb148e6ad321cac5396e6a58c1528f7932befb
SHA256d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28
-
Filesize
509KB
MD5210ee7f34c0ff268d33d598a49eb889a
SHA1876dea438f3f365513159630a12a2192fecd8b7f
SHA2569d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f
SHA512383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1
-
Filesize
509KB
MD54ab6b1ed8f26df37c531a80147982511
SHA125d59710197c30eee836096dfcce139ba84f978a
SHA25633f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162
SHA512a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24
-
Filesize
2.1MB
MD59e57c6bb6dfb456cd9907844b7afafbd
SHA1daee76439ed4cd77192dc5c2d52b187f18e5ba99
SHA256729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab
SHA5123a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b
-
Filesize
471KB
MD58450038d62cc82bca8b4fa0b74dd54fb
SHA18ac42de685d7a67cb294218c640f5b76b59d432b
SHA2566f09fa31ac0a84d2dd8c370a85ff51b1454ebec6ea468d57b2a8668294d937fc
SHA51250f00a1bda0865b8100af94ec6746ac7045caadb42620f76bb1028b3730a4ac42b380fc8f1906fe2bc9cde6d064456a0828271f3387b0f33a48d60eee8bb34cd
-
Filesize
2.1MB
MD5afaebf70e6daf7bf2e07cd11f93ee4a1
SHA14e8b08b3e50f860955bd00d16fc1653c07b7c608
SHA2564a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b
SHA5124db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f
-
Filesize
491B
MD512b875e85a885c81bc04161e9df9151a
SHA17d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA25697e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA5123ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca
-
Filesize
461KB
MD526f3342626852a3f1c0ad5c08bd8ded7
SHA14689678d8940491473161222f232dfb108bc5262
SHA256f9e1d5f1e56b0cd9744d8168a05031b1771acce536e7856ef817f807b64002f3
SHA512ef7e7c3341ba4f3c2d6d21c4082b6a9ea18c93a9d40f68edc7944c091214224ed1071008d81d287be55a5a11940dff7d49fee92e3ffdd863797346662efe3644