Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 01:40

General

  • Target

    82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe

  • Size

    740KB

  • MD5

    b9a2922c33a07f381ab2765ad7c09ccb

  • SHA1

    8beba7166d8a50cbbd22e9999c6f446d0759943a

  • SHA256

    82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989

  • SHA512

    855c91db9fb21f90d2eefb0ee2222b99049dbdda356a1004831364960356dafacf1fffc93609fde9c3883b9fcdf9e957811e0a3676fa31f91f6e13068cd38f51

  • SSDEEP

    12288:lCV86nofv3fNIGJpIlOrIhYW6NappxuBguALkPSoakQ91YlcM4Ai5H6vDmKiY98j:lyFnoXfNIApwhYVepeALkPgkQ/rrAiRN

Malware Config

Signatures

  • Detect Poverty Stealer Payload 5 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe
        "C:\Users\Admin\AppData\Local\Temp\82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Properties Properties.cmd & Properties.cmd & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:3972
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2076
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4984
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 197815
                4⤵
                  PID:916
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "CARLFAMILIESPATIENTSAGED" Gaps
                  4⤵
                    PID:1500
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Renew 197815\D
                    4⤵
                      PID:4064
                    • C:\Users\Admin\AppData\Local\Temp\197815\Valve.pif
                      197815\Valve.pif 197815\D
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Deletes itself
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:5100
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 5
                      4⤵
                      • Delays execution with timeout.exe
                      PID:1536
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url" & echo URL="C:\Users\Admin\AppData\Local\SecureScope Dynamics\CyberPanther.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url" & exit
                  2⤵
                  • Drops startup file
                  PID:3952

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\197815\Valve.pif

                Filesize

                915KB

                MD5

                b06e67f9767e5023892d9698703ad098

                SHA1

                acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                SHA256

                8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                SHA512

                7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

              • C:\Users\Admin\AppData\Local\Temp\Amenities

                Filesize

                32KB

                MD5

                c18ed82ea8c7d9081f167373d5a765d9

                SHA1

                1706e8d276343f799a21e9ae08e77f0424aea339

                SHA256

                70d7d64ccf506d5dc0cda5aa67518189c21b2cbb0c6a7af8a4e74e9539de7825

                SHA512

                071d1b851446c4d6c6a722b80fd3037ff1c005b586f24f9e229dcf9ca962bee58c32720a2bf11911d808e73ba8390f5055cc4614afdfee21811b9b887fdb3513

              • C:\Users\Admin\AppData\Local\Temp\Bb

                Filesize

                42KB

                MD5

                2453cd07e028170480c5b48f4924b67d

                SHA1

                46a59c16db05fcfb84fed33c9932c9724838a0ea

                SHA256

                ba786355c6959758136f260f28bbc8cd67884b69e36c1a64f515baecda0df4e4

                SHA512

                2115720a8c3a9e73ec2166c08363d000f05a4911a2e38f83b30c6bcd133402e619507966bddc68737587dc5ac8f60cd39be27d2347ca0a2205ccac9ff4c8f8af

              • C:\Users\Admin\AppData\Local\Temp\Commander

                Filesize

                52KB

                MD5

                ff0e11be9fd4606e5ad00a89879856e6

                SHA1

                9a4bcf379d6e0d5538559378e2144c214526435b

                SHA256

                cd0ba62ae4aa132df45708b6661fcf3cec75ec7b027e8be2c215fd3a0dd76cd0

                SHA512

                64963b66237150ef98c60ad2c3ca34f414b545886a6f0a2646abbd6dd194f68c85e2e6cdfae5870131d620fe79d5d2a02c0ef74030b70c6674425f3ba447fe7b

              • C:\Users\Admin\AppData\Local\Temp\Continue

                Filesize

                49KB

                MD5

                95d8787115394aa0ed6cc30862606605

                SHA1

                5af2aa3e40289cd9455c3e46f3f2df87213fc02d

                SHA256

                e19b46fe431196dccd0fe8e91d3d2c2994e093b012cd9f73f99d852280e0c196

                SHA512

                1f4efa14b1de096794952dae6c1b540fed7d2a8350009d158368791ca63f8cda3aa68945404929e9de30d58083ba7a263c87d54774fdb62b71f57e13a80f7734

              • C:\Users\Admin\AppData\Local\Temp\Corrections

                Filesize

                52KB

                MD5

                819da0d3f36272eb0692bf6a438f45ed

                SHA1

                9d3fb8879a26c353c85901c5e5aacec0c28fea6e

                SHA256

                5f3b858ce0fabb14d1bdcdbf73b984a932db719d073a04013376093b32d3f4fb

                SHA512

                2bfc221ef497a4ce8da3d332878a7a7e535377daaab528aebd9e484bd25ec625b3b34bdf8116cf45ac282df3f1f343d619f8faad9c9a5a1c622d2fcbe6a7d199

              • C:\Users\Admin\AppData\Local\Temp\Dome

                Filesize

                53KB

                MD5

                79cede3e951130d118d2541f5c6e7e82

                SHA1

                86566db43209350cfdad16711ac1a2314e1c37dd

                SHA256

                3fd1509b068b7f2382025cc3b4306448ed2b7ed081a75430360eaae982e19da8

                SHA512

                0f7a06ae8e64915798f1156ef7ed0eccc2e831e47f6d8c4ec52d61b6c61fb322812760d0fdde8bdee026a469be5e7a3c3e1e451e841fd8f8f0f17870dd104bf4

              • C:\Users\Admin\AppData\Local\Temp\Gaps

                Filesize

                217B

                MD5

                e47d7c82216757ead7d630d61b10331b

                SHA1

                32599b16a0ec633037bdbb2933b0213169e61a2a

                SHA256

                657e5120d05cae32d1b5f6bd1199bbbdde3ec28d74a8f90f33ce180b592e75ff

                SHA512

                cf6e7e7a58ca4dc1bdcf136690d4636b84b66c8f08d70bc7e02ffaac228e2b4c9a8a1cd38e7e79045f454cdea3837964062a9bf555eba3ab45acab8c47f950ba

              • C:\Users\Admin\AppData\Local\Temp\Love

                Filesize

                27KB

                MD5

                51dfe6fe23c0737c906a29ba288c7256

                SHA1

                eda478a421e8e8f5e7a55da8d93a67aad4031a36

                SHA256

                2e41250ef2d8fa1ce4c603b43a85c943aabf66c202f95fab16786848a2c0e93b

                SHA512

                056b29ca7677f9a9303fe3565c0e3351e85f925d12edb6cb527025e358d4827c4823921185230cea2a1ea4f1a43f034ec313b500964492e95cf899e672c67082

              • C:\Users\Admin\AppData\Local\Temp\Marilyn

                Filesize

                21KB

                MD5

                b3f8eb5788df9a8313cd421b0261aa5a

                SHA1

                7a5c3e22482f38c63b287a301e8fb1c64bd0e1f2

                SHA256

                20c373e4563bfb772c4b6f377187b4a40d2cf9a0e68a99c08ef1924226d29f09

                SHA512

                8fec7e9da5a7b417eb71ec531a83d5dfeb85b796fcf78367f31a295775ac9e53dbfe0e061afb3c6cf945d2ba79bdaa874fe2078f9966def5a68d4683c7235f93

              • C:\Users\Admin\AppData\Local\Temp\Mins

                Filesize

                31KB

                MD5

                d25a6a8619e49d225b370bc1e964a20b

                SHA1

                4c6ea046b60b609cba51d2eb029fa1b2fab28a92

                SHA256

                df68b2896894ededce175f11b09809329b54ce4cee27854f31424da7e463b623

                SHA512

                1a5c78f5f15bf883f8792c9a1a4d5ec98eef8a610798dafaa56a727a4c864bf30bede27eb075358e49bb65620a5c8495e85e84d683593c285717c5af032907ac

              • C:\Users\Admin\AppData\Local\Temp\Posters

                Filesize

                30KB

                MD5

                e1c6e0b0366cbc159e2a3c3fa42186e1

                SHA1

                34f8caccbe0165b507e8508012dd253bc6b8dbc3

                SHA256

                03697fa62cf751b9a403107b0fa8780d8b25061099c0a93c873344923d07aa5a

                SHA512

                21c0783272e34599a51ca46e1c542e3830049380ea48e51f16f8e75162d51b2165bf7317b2d84b3974720afa7ab3b165c5441f7907a5a1dcc6d6c9b2cad837aa

              • C:\Users\Admin\AppData\Local\Temp\Pr

                Filesize

                50KB

                MD5

                1aff3e47ad68412d132811ce22a41102

                SHA1

                25d49b22b30743a086406e6281f395f45a2d3c02

                SHA256

                3cb212a1da6d34ecd8238fbab84b581c6af83d30f9e93336a5540aea10aac88b

                SHA512

                37453eb9c5752d0d01c17dc35bad741552c6ee15e8717174a2375ccccde6a62cef15f1eb8d6b23932e8162d025f2c721ed5065c4345a419a1f04ceafec179119

              • C:\Users\Admin\AppData\Local\Temp\Properties

                Filesize

                15KB

                MD5

                6cecee44c1dad0bb79f2c16a88cb6062

                SHA1

                c379020fdce7e4af871eebeb3edcd93aaf6c7d32

                SHA256

                ea0490e6651506a582fb5760ac2c23fa3d1c338064348d8abd582085eca61d8e

                SHA512

                d4e7088e1b4e92a529094d37bf74e9c5285a2c14f2d00345a8a1238b2cb80cbce78de316718ce3c6bcdbd2dbb1e1d7714ad143174c4d52578f6497b094bb6d83

              • C:\Users\Admin\AppData\Local\Temp\Renew

                Filesize

                166KB

                MD5

                e2373a63ce699a18efbc3fede5e87c4f

                SHA1

                a9f74372a97c95545cc2c5a88a864dfb8738eb64

                SHA256

                bb7b5d330f997bc42d7660f6dc3a5cdd7f1a27f37643edb08dc17ea87881e8a4

                SHA512

                bd38aec89d835f965460aa84df7faefb52329357a5fdc0f032b1c4fa59521fd5856dee272a9cab21a4ee12dde0b97210428c9a58a1def0932e209adc5f2eee90

              • C:\Users\Admin\AppData\Local\Temp\Repair

                Filesize

                32KB

                MD5

                7aa5cb40b4f2443de21da0a0b46ccc5d

                SHA1

                9a83d518bcc6c31754fd389232e129d372fc0c5f

                SHA256

                51aa39ebccb32903ee7fa690a1d7c68fd58e9661c9ffd17a3f3421070f847564

                SHA512

                b6ead4ceb0850506d267260f24de2ee4cc8f2523f091babce21ba78669c6cbc6b5a42e3b86b052b76a3ea7b532a9fd896a2a27f7b468f367a313c1deb5877f1c

              • C:\Users\Admin\AppData\Local\Temp\Salem

                Filesize

                65KB

                MD5

                09e01401b85caa707c5ff3cebca814e6

                SHA1

                4120b4b422bce5541ef97e7aaeeb5a223f42fedc

                SHA256

                e801bb986beec3a9f7451fa157eee944f0b58b164bc06aa01acd9c73df1d74d6

                SHA512

                5452a8aeb473d8a5f7c169b4b67da9d88dbad91b4844122b73823769ac324239f2dfd96ded3c7d4b5ee5b3bb1667614b7935290a6e60193dd50384acf552669b

              • C:\Users\Admin\AppData\Local\Temp\Sierra

                Filesize

                13KB

                MD5

                3896b36f2678ca6e66155b334dd1ab2d

                SHA1

                296d4d92c8a39798fba5f0bd6953b3c1d3a7d562

                SHA256

                779c6323ebfe5116927ed31401566a272b6cc630f2f0893f6ba2a1d0104eea1f

                SHA512

                a1aaaac30c486e253b02684e98b81bcdf42ea8eea906d0321c60940a0e86490b04b51e606fa052861b9b8055755550e3aa64dbc1cc33ec498973dfcbd6c3a970

              • C:\Users\Admin\AppData\Local\Temp\Specialist

                Filesize

                46KB

                MD5

                9fc28bced4c009e9c0b9d435ac009df7

                SHA1

                f5af69cc30731c8f23e185a3452aadfd7ab7225c

                SHA256

                10a9d7a45fdef23e4175ddb6302b115c0ffe35bd4698bebffed180beab64ef07

                SHA512

                4f7a06bfa707cb466815761fd4108335d18de6412202e4bdd07fc2d297bb24993f86ba76cdd137a30b5f73a285bfda61f72db163080d91c45b2be249e3631100

              • C:\Users\Admin\AppData\Local\Temp\Stating

                Filesize

                54KB

                MD5

                08addeda316684b2118939f8bd22f2aa

                SHA1

                19911f2e0b69f968bcff06826637346e4658ec35

                SHA256

                b316c909c36ea4827ae447bc8bc2b7e8902bcf7af64eeb2a58d74c9da4340460

                SHA512

                3d3e3bc6a94313b73e40b08e89e13032d2c1659e943bf0bceba58dec9a458276cf538fda750586cd233b4354125ffee3013f0a07b5c741ee822106619b9445a2

              • C:\Users\Admin\AppData\Local\Temp\Sudan

                Filesize

                60KB

                MD5

                3dfb933bff341ad3a7874cb001deb475

                SHA1

                7c2aa36be83a2c6b9061b16d3f9d2b1f8b90a11f

                SHA256

                d5455ffd704e58603d91726e572dc3f856391b29680a09f4b967f6ab601c6135

                SHA512

                ade89f4298736dd55cee475809bfc16d4ae41d15d330d6a140e8095c98bb0b944b095d0804f2a49228a6ffd3197a0e0169b9875ce7b8b69605c1d782518c9320

              • C:\Users\Admin\AppData\Local\Temp\Surprised

                Filesize

                22KB

                MD5

                2857f3ef717dcab920cbb97d8df85057

                SHA1

                db6470489bf8eaa4365f3311f260b4e1cfef4a7c

                SHA256

                341cf7c6442dae51f5d7953c59c3a4d0b06c2ef93561c6cc0841afa52379106c

                SHA512

                a0b7ddf02cda2a34bd0588d62b0211937a451cb27ed4d9736af82dc16538e4070e6b0221cffc90fc56ad5fdb4695e9a36a1f5f7f9fd51f6be94f685ab0ea18fa

              • C:\Users\Admin\AppData\Local\Temp\Tanks

                Filesize

                38KB

                MD5

                35372beddb63033773ee2b862e45a484

                SHA1

                373f531346c9710ef6d674585cb8e43a41d25b83

                SHA256

                9df311d6f6de2fcda4ff975ab2e11edd50eb89057611939789bd27667c34eff7

                SHA512

                fac08c3e4ab88c759aae6db11357f7b4cf2605503c43e38359d59967872421fdb3ef81484481429275084decd0ede7569fe5d0ebfbfa39e3b71ed9bac51fb43c

              • C:\Users\Admin\AppData\Local\Temp\Tb

                Filesize

                12KB

                MD5

                c7d25687901ac9ccccbbffe0c26db674

                SHA1

                77d40b04e4aa7f10056b8250ef1d3d99d3d3f4b3

                SHA256

                5906c8066dcb01690c776323fe6588bdf6fb039aaa213494b366df28de7961e8

                SHA512

                52453c651d37ba5ae81814e713afc90f1eb2ebb0ec3f1dc491110dcc772880d78ab8da9e358502cc13fe2218fbaf3bc0320426cedd5f896532da180dfdf0417e

              • C:\Users\Admin\AppData\Local\Temp\Tions

                Filesize

                25KB

                MD5

                32835815345885a10ae6c0801a7107d0

                SHA1

                96740f90ea912cc8dfd9fa0ebec09f3118a40d53

                SHA256

                2b929b6a935fce90cf9822b0c5bb2df9fefe6836f08d7d9ccdc38c451b8d6327

                SHA512

                caaed73299da26ef4b1638b876d125cce576c51099a51e62b42e4a82b26ff76cb82c413f0105b899cae908aa6edeb0eda7f1e8a10a0b8b3fc3e3b77464080fca

              • C:\Users\Admin\AppData\Local\Temp\Towns

                Filesize

                47KB

                MD5

                a959b5cfa1777ebe482f1c86b5a44023

                SHA1

                980d6b60b8539428cb3e212732fe9b4c5620b60b

                SHA256

                2f94a608165710b0eff8bb6151a3c237063fc8792a15671d26361936fab75624

                SHA512

                3b30213029a4579f80e4a74f8a061a3119425944ad9724c0bffcd5f51a1fa92b710b88858af67df3c75d20559da0984ed2f4baa656e1b7bd9c4792c5d98d11bb

              • C:\Users\Admin\AppData\Local\Temp\Unity

                Filesize

                62KB

                MD5

                ea608ac654b28d2f011230666a9393f9

                SHA1

                8957c29ce024f4f1deb291b153ad0aeab7bd32e8

                SHA256

                ef8e68746c92e1f040c3c237a25b77eb9fa8aa2d5d9edfe1f4839366e053871b

                SHA512

                37370b51444528d4171e762a0ea5309c1d9fdd4878fb950f6fecabe6fe5dab8a7f7741e5b5c2af567d539054b8de9ecf31cbc32279e78d37f85cc1d537b7f4ba

              • memory/5100-66-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-67-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-68-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-69-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-70-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-71-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-73-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB

              • memory/5100-74-0x0000000004020000-0x000000000402A000-memory.dmp

                Filesize

                40KB