Analysis
-
max time kernel
1570s -
max time network
1599s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
11-03-2024 14:03
General
-
Target
sysvol.exe
-
Size
1.8MB
-
MD5
03fa96650130466d43c4b486c615294a
-
SHA1
88650e99ae745097810f096035a3272455e0b708
-
SHA256
15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4
-
SHA512
c0583e46f845e6a53a559ca4658d7203a921ff9fabb8a5cee20551e80f056d2def72c112921968435a3e30bb0dcd08bb824159f1bca1bcfa137bf3ee3263115f
-
SSDEEP
49152:gwsPtT+HW9zDL6axnzPmZ/lqTpv9Dasv3xzHM3kCJwf:gwMtSAXL68nzgITZBfxxCW
Malware Config
Signatures
-
Detect Poverty Stealer Payload 1 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
GoLang User-Agent 10 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sysvol.exe"C:\Users\Admin\AppData\Local\Temp\sysvol.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 320464⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 32046\Enters.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Disco 32046\r4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\32046\Enters.pif32046\Enters.pif 32046\r4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\32046\Enters.pifC:\Users\Admin\AppData\Local\Temp\32046\Enters.pif2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWoW64\calc.exeC:\Windows\SysWoW64\calc.exe3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWoW64\calc.exeC:\Windows\SysWoW64\calc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bfa84dbde0df8f1cad3e179bd46a6e34
SHA106ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA2566de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a
-
Filesize
258KB
MD5bde17ad7c1841f36662a1241e1b6b128
SHA1ce2f0b19da0651edbc1ec39da4b2c487970206aa
SHA25648bd22986a35562067231d88f73f6a695290ae77fe09865ad1e94807f019fc72
SHA512f24a5aa2c8609271c8b26c0eaf8a7d09b1697e969a4cb4b6c9b03858f98b681d52dac6fa2817ff20e00c5748007840180be59273296ca1be4f94bbfa173b2260
-
Filesize
45KB
MD50c257b9edbcc7f41af6e1027bc0713ee
SHA12149a7bb22476f85610c842c34628b2f22d8a549
SHA2567ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c
SHA512f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b
-
Filesize
13KB
MD5a0d9b89b48e8fc49b82d019ee8500484
SHA15ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3
SHA256f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a
SHA5121ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5
-
Filesize
161KB
MD5da2be5607513a22a9d61d9538f5f0636
SHA1e77975bb6f507b4089409a06ab2226a6d54bfefd
SHA256640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648
SHA5121f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4
-
Filesize
2.8MB
MD58de31c24cb7fe99ff6348875de7cd146
SHA18e2afafc129d1ddfc6de010029bb867f1708c6f6
SHA256dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df
SHA5126a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133
-
Filesize
261KB
MD58a83e45fdfd2f28ef8210428fecdef9c
SHA1db669761c961b72e7771cd8317c582ef8e48ddd1
SHA2567e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7
SHA51274dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2
-
Filesize
194KB
MD54d21c2eec34495a74f67de9c7944bff3
SHA1f9241a3fc121e397e23d6f3d07a3ee24b14137c2
SHA256647a49b0eab7039c74d69e4142ed1be7f01afe9cbd6483d01039cf5b289973da
SHA5128091201ebe4c08b105e558d2085aed1e90366ce289effa3e2d2a6b51d9364f1f68e3c1d8e54502931800a34d469152bb615e688d7563ac8b299de02c7161110c
-
Filesize
108KB
MD553c678fa488852a4533e20624a3f4ac2
SHA122af659f0f7b6f09e3780ecafa87dff857c29707
SHA25633f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4
SHA51279f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7
-
Filesize
166KB
MD5bc70f3222d729f92658b32a28c6d7375
SHA18591ee5231e1efcf3eadc507909ec98b2cf29614
SHA2565f9ba61683e3b51ca21cb15674306b7c58b62ee68210d96ecf8fb00b1d396a2f
SHA51210e7738f01e40321e305f89115df545c29a60bad47b91fca651cec8d1dcacb4551c72f838ac0a10f7d5739090d042ac429c85ebced5056809d0251d8c909f3c6
-
Filesize
111KB
MD51624046c22d7d232e3ad77d456743551
SHA16ac978fe79d62baec9626ae3d18e2263ea91ede7
SHA2560795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a
SHA512da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
12KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
472KB
-
Filesize
592KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
4KB