Analysis
-
max time kernel
1764s -
max time network
1771s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
11-03-2024 14:03
General
-
Target
sysvol.exe
-
Size
1.8MB
-
MD5
03fa96650130466d43c4b486c615294a
-
SHA1
88650e99ae745097810f096035a3272455e0b708
-
SHA256
15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4
-
SHA512
c0583e46f845e6a53a559ca4658d7203a921ff9fabb8a5cee20551e80f056d2def72c112921968435a3e30bb0dcd08bb824159f1bca1bcfa137bf3ee3263115f
-
SSDEEP
49152:gwsPtT+HW9zDL6axnzPmZ/lqTpv9Dasv3xzHM3kCJwf:gwMtSAXL68nzgITZBfxxCW
Malware Config
Signatures
-
Detect Poverty Stealer Payload 1 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
GoLang User-Agent 18 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sysvol.exe"C:\Users\Admin\AppData\Local\Temp\sysvol.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 322164⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 32216\Enters.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Disco 32216\r4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\32216\Enters.pif32216\Enters.pif 32216\r4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\32216\Enters.pifC:\Users\Admin\AppData\Local\Temp\32216\Enters.pif2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWoW64\calc.exeC:\Windows\SysWoW64\calc.exe3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWoW64\calc.exeC:\Windows\SysWoW64\calc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bfa84dbde0df8f1cad3e179bd46a6e34
SHA106ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA2566de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a
-
Filesize
2.8MB
MD58de31c24cb7fe99ff6348875de7cd146
SHA18e2afafc129d1ddfc6de010029bb867f1708c6f6
SHA256dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df
SHA5126a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133
-
Filesize
45KB
MD50c257b9edbcc7f41af6e1027bc0713ee
SHA12149a7bb22476f85610c842c34628b2f22d8a549
SHA2567ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c
SHA512f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b
-
Filesize
13KB
MD5a0d9b89b48e8fc49b82d019ee8500484
SHA15ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3
SHA256f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a
SHA5121ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5
-
Filesize
161KB
MD5da2be5607513a22a9d61d9538f5f0636
SHA1e77975bb6f507b4089409a06ab2226a6d54bfefd
SHA256640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648
SHA5121f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4
-
Filesize
15KB
MD5106d5bf8c747cb5a0310ae87bf9902c7
SHA153e0bd09597e96ebd71b15ff01b5b7567df489b4
SHA256d3d61b430f7e8e91c29107888c3aba78644fde65468df3f4cd3ea771dac1af62
SHA512bfb6d6bf78ae67d292701eee4408dd2064b3ab6c81426002900823847f1c74cceaf54ca32ee11db9b69d1dbffa5cf89d71809f195701a09294fb49c8639162b4
-
Filesize
261KB
MD58a83e45fdfd2f28ef8210428fecdef9c
SHA1db669761c961b72e7771cd8317c582ef8e48ddd1
SHA2567e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7
SHA51274dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2
-
Filesize
108KB
MD553c678fa488852a4533e20624a3f4ac2
SHA122af659f0f7b6f09e3780ecafa87dff857c29707
SHA25633f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4
SHA51279f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7
-
Filesize
115KB
MD523293056e8c481306987d68f78e88202
SHA164f34b9647f0433567e2e364f283cd228acf3d5f
SHA256bff15ce4016dfb6ce301818c7507d9abd218217d17dd07fa1823c06832ba7d97
SHA51210e77ba73f9696a0a36144261ef901ba0ac329a465d5b20e9f8e77e7b5fb1de60adde593458d6752eaa2ae0b1c6298618eabbdba8f82f48a7773d54c25b2e570
-
Filesize
111KB
MD51624046c22d7d232e3ad77d456743551
SHA16ac978fe79d62baec9626ae3d18e2263ea91ede7
SHA2560795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a
SHA512da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
216KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
12KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB